Tuesday, December 11, 2007

[NT] BarracudaDrive Multiple Vulnerabilities

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html


- - - - - - - - -

BarracudaDrive Multiple Vulnerabilities
------------------------------------------------------------------------


SUMMARY

<http://barracudaserver.com/products/BarracudaDrive/> Barracuda Drive is
"a commercial webserver developed by Real Time Logic and contains many
features". Multiple web application vulnerabilities were discovered in
BarracudaDrive software.

DETAILS

Vulnerable Systems:
* BarracudaDrive version 3.7.2 and prior

Immune Systems:
* BarracudaDrive version 3.8

Directory traversal:
A directory traversal vulnerability is exploitable through the usage of a
backslash or any other char major than 0x7f at the beginning of the URI.
The directories must be delimited by backslashes (and not slashes) for
exploiting the bug.

Example:
http://SERVER/\..\..\..\boot.ini
http://SERVER/%80..\..\..\boot.ini
http://SERVER/%ff..\bdlicense.dat

Scripts source visualization:
All the custom scripts in the server (like the LUA scripts with lsp
extension) can be visualized entirely instead of being executed simply
using a '+', a dot or any other char major than 0x7f after the script's
name.

Example:
http://SERVER/lua.lsp+
http://SERVER/lua.lsp.
http://SERVER/lua.lsp%80

Arbitrary files deleting by users:
BarracudaDrive allows the admin to create users which can then access
their personal folders, chating between them and so on. The problem here
is that these authenticated users can delete files and empty folders
anywhere in the disk on which is located their personal directory simply
using the usual ..\ pattern.

Note that is also possible to create directories in the disk using the
same trick but this is not a real security problem.

Example:
POST /drive/c/bdusers/USER/?cmd=rm HTTP/1.1
Host: SERVER
Cookie: "use the real user's cookie!"
Content-Type: application/x-www-form-urlencoded
Content-Length: 21

dir=..\..\..\file.txt

NULL pointer crash in chat.ehintf by users:
As already said the users can also chat between them using a simple web
interface called Group Chat.
In this case it's enough to avoid the passing of the Connection ID of the
user in the URI for crashing the entire server due to a NULL pointer.

Example:
POST /eh/chat.ehintf/C. HTTP/1.1
Host: SERVER
Content-Type: text/plain
Content-Length: 0
Cookie: "use the real user's cookie!"

HTML injection in the trace viewer:
BarracudaDrive logs any bad or wrong HTTP request received by the clients
and the Trace page in the admin interface can be used to visualize these
log files.

The problem is that they are visualized as HTML and there are no checks or
limitations on their content so a remote attacker can use this bug for
injecting scripts in these files, for example for retrieving the cookie of
the admin and gaining access to the server configuration.

Example:
GET <script>alert('hello');</script> HTTP/1.0


ADDITIONAL INFORMATION

The information has been provided by <mailto:aluigi@autistici.org> Luigi
Auriemma.
The original article can be found at:
<http://aluigi.altervista.org/adv/barradrive-adv.txt>

http://aluigi.altervista.org/adv/barradrive-adv.txt

========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

No comments:

Post a Comment