Home page logo
/

nmap-dev logo Nmap Development mailing list archives

http-barracuda-dir-traversal.nse
From: Brendan Coles <bcoles () gmail com>
Date: Wed, 8 Jun 2011 14:00:53 +1000

Hi nmap-dev,

Attached is http-barracuda-dir-traversal.nse which is designed to exploit
the Barracuda directory traversal bug, as per the script ideas page on
secwiki.org

It extracts a few details about the device and its services in addition to
the server password. There's tonnes of information available in the
Barracuda config files, including plaintext passwords for all mail accounts.
The configuration files often contain hundreds (if not thousands) of user
accounts so I've left this information out for now.

Feedback is welcomed and appreciated.

description = [[
Attempts to retrieve the configuration settings from the MySQL database
dump on a Barracuda Networks Spam & Virus Firewall device using the
directory traversal vulnerability in the "locale" parameter of
"/cgi-mod/view_help.cgi" or "/cgi-bin/view_help.cgi".

The web administration interface runs on port 8000 by default.
]]

--- Summary
-- Original exploit by ShadowHatesYou <Shadow () SquatThis net>
-- Barracuda Networks Spam & Virus Firewall <= 4.1.1.021 Remote
Configuration Retrieval
-- http://www.exploit-db.com/exploits/15130/
--
-- @usage
-- nmap --script http-barracuda-dir-traversal -p <port> <host>
--
-- @output
-- PORT   STATE SERVICE   REASON
-- 8000/tcp open  http-alt syn-ack
-- | http-barracuda-dir-traversal:
-- | Device: Barracuda Spam Firewall
-- | Version: 4.1.0.0
-- | Hostname: barracuda
-- | Domain: example.com
-- | Timezone: America/Chicago
-- | Language: custom
-- | Password: 123456
-- | Gateway: 192.168.1.1
-- | Primary DNS: 192.168.1.2
-- | Secondary DNS: 192.168.1.3
-- | DNS Cache: No
-- | NTP Enabled: Yes
-- | NTP Server: update01.barracudanetworks.com
-- | SSH Enabled: Yes
-- | BRTS Enabled: No
-- | BRTS Server: fp.bl.barracudanetworks.com
-- | HTTP Disabled: No
-- | HTTP Port: 8000
-- | HTTPS Only: No
-- |_HTTPS Port: 443



Regards,

Brendan Coles
http://itsecuritysolutions.org

Attachment: http-barracuda-dir-traversal.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault