141 lines
No EOL
6.8 KiB
Text
141 lines
No EOL
6.8 KiB
Text
Document Title:
|
|
===============
|
|
Barracuda Networks Cloud Series - Filter Bypass Vulnerability
|
|
|
|
|
|
References (Source):
|
|
====================
|
|
http://www.vulnerability-lab.com/get_content.php?id=754
|
|
|
|
Barracuda Networks Security ID (BNSEC): 731
|
|
|
|
|
|
Release Date:
|
|
=============
|
|
2015-01-19
|
|
|
|
|
|
Vulnerability Laboratory ID (VL-ID):
|
|
====================================
|
|
754
|
|
|
|
|
|
Common Vulnerability Scoring System:
|
|
====================================
|
|
4.5
|
|
|
|
|
|
Abstract Advisory Information:
|
|
==============================
|
|
The Vulnerability Laboratory Research Team discovered a filter bypass vulnerability in the official Barracuda Cloud Series Products.
|
|
|
|
|
|
Vulnerability Disclosure Timeline:
|
|
==================================
|
|
2015-01-19: Public Disclosure (Vulnerability Laboratory)
|
|
|
|
|
|
Discovery Status:
|
|
=================
|
|
Published
|
|
|
|
|
|
Affected Product(s):
|
|
====================
|
|
Barracuda Networks
|
|
Product: Cloud Control Center 2014 Q2
|
|
|
|
|
|
Exploitation Technique:
|
|
=======================
|
|
Remote
|
|
|
|
|
|
Severity Level:
|
|
===============
|
|
Medium
|
|
|
|
|
|
Technical Details & Description:
|
|
================================
|
|
A filter bypass vulnerability has been discovered in the official Barracuda Networks Cloud Series Appliance Applications 2014-Q1.
|
|
The filter bypass issue allows an attacker to bypass the secure filter validation of the service to execute malicious script codes.
|
|
|
|
The barracuda filter blocks for example standard iframes, scripts and other invalid code context: The cloud service has a own exception-handling
|
|
to parse or encode malicious injected web context. The mechanism filters the first request and sanitizes the output in every input field.
|
|
|
|
During a pentest we injected a standard iframe to check and provoke the validation. The frame got blocked! In the next step the attacker splits (%20%20%20)
|
|
the request and injects at the end an onload frame to an external malicious source. The second iframe with the onload alert executes the script codes after
|
|
the validation encoded only the first script code tag. The second script code tag can bypass the applicance filter mechanism and executes in the web context
|
|
of affected modules. The secure validation does not recognize a splitted request which results in client-side and application-side script code execution in
|
|
the cloud series products.
|
|
|
|
The security risk of the filter bypass vulnerability is estimated as medium and the cvss (common vulnerability scoring system) count is 4.5 (medium).
|
|
Exploitation of the filter bypass vulnerability requires a low privileged application user account with restricted access and low user interaction.
|
|
Successful exploitation of the vulnerability results in session hijacking, persistent phishing, persistent external redirects and persistent manipulation
|
|
of affected or connected module context.
|
|
|
|
Vulnerable Request Method(s):
|
|
[+] POST & GET
|
|
|
|
|
|
Proof of Concept (PoC):
|
|
=======================
|
|
The filter bypass web vulnerability can be exploited by local privileged user accounts and remote attackers with low or medium user interaction.
|
|
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
|
|
|
|
PoC:
|
|
<iframe src=a>%20%20%20%20\"><iframe src=http://vuln-lab.com onload=alert("VL") <
|
|
|
|
PoC:
|
|
<script language=JavaScript>m='%3Ciframe%20src%3Da%3E%2520%2520%2520%2520%5C%22%3E%3Ciframe%20src%3Dhttp%3A//vuln-lab.com%20onload%3Dalert%28%22VL%22%29%20%3C';d=unescape(m);document.write(d);</script>
|
|
|
|
|
|
Solution - Fix & Patch:
|
|
=======================
|
|
The issue can be patched by a secure validation of the full message input body context of any input or request method attempt.
|
|
Ensure that the validaton does not only encode the first injected script code since a empty char arrives. Filter all web context
|
|
that runs through the requesting procedure and parse separatly to prevent script code injection attacks.
|
|
|
|
Note: Barracuda Networks patched the vulnerability and acknowledged the researcher. Updates are available in Barracuda Labs and the Customer Service.
|
|
|
|
|
|
Security Risk:
|
|
==============
|
|
The security risk of the filter bypass web vulnerability in the barracuda cloud product series is estimated as medium. (CVSS 4.5)
|
|
|
|
|
|
Credits & Authors:
|
|
==================
|
|
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
|
|
|
|
|
|
Disclaimer & Information:
|
|
=========================
|
|
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
|
|
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
|
|
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
|
|
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
|
|
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
|
|
policies, deface websites, hack into databases or trade with fraud/stolen material.
|
|
|
|
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
|
|
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
|
|
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
|
|
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
|
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
|
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
|
|
|
|
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
|
|
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
|
|
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
|
|
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
|
|
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
|
|
|
|
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
|
|
|
|
--
|
|
VULNERABILITY LABORATORY - RESEARCH TEAM
|
|
SERVICE: www.vulnerability-lab.com
|
|
CONTACT: research@vulnerability-lab.com
|
|
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt |