BugTraq
Barracuda Networks Backup Appliance Application - Persistent Web Vulnerability Feb 26 2014 11:23PM
Vulnerability Lab (research vulnerability-lab com)
Document Title:
===============
Barracuda Networks Backup Appliance Application - Persistent Web Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=784

BARRACUDA NETWORK SECURITY ID: BNSEC-885

Release Date:
=============
2014-02-26

Vulnerability Laboratory ID (VL-ID):
====================================
784

Common Vulnerability Scoring System:
====================================
3.5

Product & Service Introduction:
===============================
Barracuda Backup Service is a complete and affordable data backup solution. The Barracuda Backup
Server provides a full local data backup and is combined with a storage subscription to replicate
data to two offsite locations. This approach provides the best of both worlds - onsite backups for
fast restore times and secure, offsite storage for disaster recovery. Block level deduplication is
applied inline to reduce traditional backup storage requirements by 20 to 50 times while also
reducing backup windows and bandwidth requirements. Cloud Storage with Deduplication

Barracuda Backup Subscription plans provide diverse offsite storage at affordable monthly fees that
scale to meet increasing data requirements.

* Secure backup to two geo-separate data centers
* Deduplicated efficient backup storage
* Redundant disk-based storage
* Best-of-breed data retention policies
* Web interface multi-location management
* Restore by Web, FTP and Windows software

(Copy of the Vendor Homepage: http://www.barracudanetworks.com/ns/products/backup_overview.php)

Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a persistent web vulnerability in the official Barracuda Networks Backup appliance web-application.

Vulnerability Disclosure Timeline:
==================================
2013-12-02: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2013-12-04: Vendor Notification (Barracuda Networks Security Team)
2013-12-08: Vendor Response/Feedback (Barracuda Networks Security Team)
2014-02-17: Vendor Fix/Patch (Barracuda Networks Developer Team)
2014-02-26: Public Disclosure (Vulnerability Laboratory)

Discovery Status:
=================
Published

Exploitation Technique:
=======================
Remote

Severity Level:
===============
Medium

Technical Details & Description:
================================
A persistent web vulnerability has been discovered in the official Barracuda Networks Backup appliance web-application.
The bugs allows remote attackers to inject own malicious script code on the application side (persistent) of the service.

The persistent vulnerability is located in the `remote_host` value of the `Extern Backup` module. Remote attackers are able
to inject via POST method request own malcious script codes as remote_host. The result is the persistent (application-side)
execution out in the vulnerable remote_host list module. The attack vector is persistent on the application-side and the
request method to inject is POST. The security risk of the persistent input validation web vulnerability is estimated as
medium with a cvss (common vulnerability scoring system) count of 3.5(+)|(-)3.6.

Exploitation of the persistent web vulnerability requires low user interaction and a low privileged web-application appliance
user account. Successful exploitation of the vulnerability results in persistent session hijacking (admin/auditor), persistent
phishing (application-side), persistent external redirect and persistent manipulation of affected or connected vulnerable modules.

Request Method(s):
[+] POST

Vulnerable Section(s):
[+] Jetz Sichern

Vulnerable Module(s):
[+] Extern Backup > Ziel hinzufügen (Add Target) - Listing

Vulnerable Parameter(s):
[+] remote_host (Exception-Handling) - Error (Invalid)

Proof of Concept (PoC):
=======================
The persistent input validation vulnerability can be exploited by remote attacker with low privileged application user account and
low required user interaction. For demonstration or reproduce ...

Review: Jetz Sichern > Extern Backup > Ziel hinzufügen > [remote_host] > Listing

<div class="fieldGroupInfo">You can optionally choose a Backup Server from your account to load the required info automatically,
or enter it manually.</div>

<div class="fieldGroupError"></div>
</div>
<div class="replication_wrapper">
<div class="fieldGroup statusError"><label class="ultraform_label">Ziel-IP-Adresse:</label>
<span><div class="alba-placeholder" style="position: absolute; background: none repeat scroll 0% 0% transparent;
border-color: transparent; border-style: solid; height: 17px; width: 241px; padding: 2px 3px; font-size: 13px; font-family:
Arial,'Liberation Sans',FreeSans,sans-serif; font-weight: 400; font-style: normal; letter-spacing: normal; line-height: 16px;
text-align: start; text-decoration: none; border-width: 1px; vertical-align: middle; cursor: text; overflow: hidden; text-overflow:
ellipsis; white-space: nowrap; -moz-user-select: none; color: rgba(0, 0, 0, 0.35); top: 79px; left: 268px; display: none;">
Ziel-Hostname oder IP-Adresse</div><input _placeholder="Ziel-Hostname oder IP-Adresse" size="35"
name="remote_host" value="">"<iframe src=a>%20%20%20%20"><[PERSISTENT INJECTED SCRIPT CODE!];) <" content_source=""
id="remote_host" type="text">
</span><span class="fieldGroupStatus"> </span>
<div class="fieldGroupInfo">Geben Sie die IP-Adresse oder den Hostnamen des Ziel-Backup-Servers ein. Die Adresse muss von diesem Backup
Server aus erreichbar sein. Alternative Portnummern können angegeben werden. Beispiel: 192.168.1.2:5001</div>
<div class="fieldGroupError">Sie haben keine Erlaubnis zum Hinzufügen oder Editieren von Ziel-Backup-Servern.</div>
</div>

Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure encode and parse of the remote_host value in the `Extern Backup` module of the `Ziel hinzufügen` function.
Restrict the remote_host input fields and filter the POST method request after the regular mask validation to prevent script code injection attacks.

Security Risk:
==============
The security risk of the persistent web vulnerability is estimated as medium because of the location in the remote_host exception-handling.

Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm (at) evolution-sec (dot) com [email concealed]) [www.vulnerability-lab.com]

Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.

Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin (at) vulnerability-lab (dot) com [email concealed] - research (at) vulnerability-lab (dot) com [email concealed] - admin (at) evolution-sec (dot) com [email concealed]
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin (at) vulnerability-lab (dot) com [email concealed] or research (at) vulnerability-lab (dot) com [email concealed]) to get a permission.

Copyright © 2014 | Vulnerability Laboratory [Evolution Security]

--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research (at) vulnerability-lab (dot) com [email concealed]

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus