Assurance.com.au - Vulnerability Advisory ----------------------------------------------- Release Date: 14-Mar-2005 Software: Barracuda Networks Spam Firewall http://www.barracudanetworks.com/ Versions affected: All firmware versions > 3.0 and <= 3.1.12 (spam def <= 2.1.1453) All models Vulnerabilities discovered: (1) A vulnerability in the smtp_test.cgi allows execution of commands as the apache uid. Access to this cgi is pre-authentication, meaning anyone can 'GET' the cgi passing special parameters to it, which are then executed on the system. (2) Several vulnerabilities exist in other web-ui cgi scripts (details below) Vulnerability impact: (1) Critical - root level access via web-ui (No authentication is required) (2) Low - Insecure web-ui allows unauthenticated access to several features Vulnerability information (1) smtp_test.cgi uses passed cgi data as arguments in a backtick call to another perl script, used to test mail server connectivity. These values are not sanitized at all and allow easy exploitation. Example: http://example.org/cgi-bin/smtp_test.cgi?host='`ping+example.com+-c+1`' Gaining root after this is trivial for many reasons, the most keystroke-free would have to be via the sudoers file, which allows the apache uid to sudo chown/chmod - among other things. (2) Several web-ui cgi features are accessible without requiring authentication, further research was not conducted. These include: /cgi-bin/mail_queue.cgi /cgi-bin/mark.cgi /cgi-bin/preview_email.cgi /cgi-bin/show_queues.cgi /cgi-bin/request_web.cgi /cgi-bin/request_support.cgi /cgi-bin/show_quar_queues.cgi /cgi-bin/show_sync_queue.cgi /cgi-bin/stats.cgi Solution: Barracuda Networks have released patches for the vulnerabilities. Ensure the patch level is above 3.1.12 or below 3.0 References: Assurance.com.au advisory http://www.assurance.com.au/advisories/200503-barracuda.txt Barracuda Networks advisory note http://www.barracudanetworks.com/support/docs/securityupdate.php Credit: Adam Pointon of Assurance.com.au http://www.assurance.com.au/ Disclosure timeline: 18-Feb-2005 - Discovered during quick audit of a demo system 24-Feb-2005 - Emailed support@barracudanetworks.com 24-Feb-2005 - Email&PGP key received from Denis Kieft 25-Feb-2005 - Full details sent to Barracuda 8-Mar-2005 - Firmware updates released 14-Mar-2005 - Advisory released About us: Assurance.com.au is a specialised information security consultancy. Our mission is to help organisations identify and secure their information assets. Our expertise concentrates in security architecture design, managed security and professional services in security testing/review and compliance. Supporting this approach are professional and managed services in the following areas: * Intrusion Detection/Prevention Systems * "firewall", gateway & control architecture design * Penetration testing, security reviews and compliance auditing * change management * policy and procedure analysis and development * security resource provision and recruiting * bespoke consultancy in UNIX-like systems, networks and security Assurance.com.au also provides organisations with services to support compliance to legislative, public and internal/private standards. While primarily specialising in Australian & New Zealand standards efforts Assurance.com.au also works with other international standards related to information security These include: * ISO/IEC 17799:*, AS/NZS 17799:*, BS7799 * ISO 15408 (Common Criteria), ITSEC, TCSEC * ISO 13569, ISO 11131 * ACSI33, AS2805, AS3806, AS4360, AS4539, AS8018, HB231:2001, NPP4 (privacy) * Sarbanes-Oxley Assurance.com.au can assist your company through all phases of information security lifecycle management.