Vulnerabilities > CVE-2005-2847 - Remote Command Execution vulnerability in Barracuda Networks Barracuda Spam Firewall 3.1.16/3.1.17

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
barracuda-networks
nessus
exploit available
metasploit
NVD
Published: 2005-09-08
Updated: 2016-10-18

Summary

img.pl in Barracuda Spam Firewall running firmware 3.1.16 and 3.1.17 allows remote attackers to execute arbitrary commands via shell metacharacters in the f parameter.

Vulnerable Configurations

Part Description Count
Hardware
Barracuda_Networks
2

Exploit-Db

  • descriptionBarracuda Spam Firewall < 3.1.18 Command Execution Exploit (meta). CVE-2005-2847,CVE-2005-2848. Webapps exploit for cgi platform
    idEDB-ID:1236
    last seen2016-01-31
    modified2005-09-27
    published2005-09-27
    reporterNicolas Gregoire
    sourcehttps://www.exploit-db.com/download/1236/
    titleBarracuda Spam Firewall < 3.1.18 Command Execution Exploit meta
  • descriptionBarracuda IMG.PL Remote Command Execution. CVE-2005-2847. Webapps exploit for cgi platform
    idEDB-ID:16893
    last seen2016-02-02
    modified2010-04-30
    published2010-04-30
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/16893/
    titleBarracuda IMG.PL Remote Command Execution

Metasploit

descriptionThis module exploits an arbitrary command execution vulnerability in the Barracuda Spam Firewall appliance. Versions prior to 3.1.18 are vulnerable.
idMSF:EXPLOIT/UNIX/WEBAPP/BARRACUDA_IMG_EXEC
last seen2020-01-08
modified2017-09-08
published2007-01-05
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/barracuda_img_exec.rb
titleBarracuda IMG.PL Remote Command Execution

Nessus

NASL familyCGI abuses
NASL idBARRACUDA_SPAM_FIREWALL_3118.NASL
descriptionThe remote host appears to be a Barracuda Spam Firewall network appliance, which protects mail servers from spam, viruses, and the like. Further, it appears that the installed appliance suffers from several vulnerabilities that allow for execution of arbitrary code and reading of arbitrary files, all subject to the permissions of the web server user id.
last seen2020-06-01
modified2020-06-02
plugin id19556
published2005-09-01
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/19556
titleBarracuda Spam Firewall < 3.1.18 Multiple Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if (description) {
  script_id(19556);
  script_version("1.20");
  script_cvs_date("Date: 2018/06/13 18:56:26");

  script_cve_id("CVE-2005-2847", "CVE-2005-2848");
  script_bugtraq_id(14710, 14712);
  script_xref(name:"EDB-ID", value:"1236");

  script_name(english:"Barracuda Spam Firewall < 3.1.18 Multiple Vulnerabilities");
  script_summary(english:"Attempts to access a local file via directory traversal");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The remote host appears to be a Barracuda Spam Firewall network
appliance, which protects mail servers from spam, viruses, and the
like.

Further, it appears that the installed appliance suffers from several
vulnerabilities that allow for execution of arbitrary code and reading
of arbitrary files, all subject to the permissions of the web server
user id.");
 # http://web.archive.org/web/20051026050318/http://www.securiweb.net/wiki/Ressources/AvisDeSecurite/2005.1
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e58e748c");
  script_set_attribute(attribute:"solution", value:
"Upgrade to firmware 3.1.18 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:U/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Barracuda IMG.PL Remote Command Execution');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2005/09/01");
  script_set_attribute(attribute:"patch_publication_date", value:"2005/09/01");
  script_set_attribute(attribute:"plugin_publication_date", value:"2005/09/01");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/h:barracuda_networks:barracuda_spam_firewall");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");

  script_dependencies("barracuda_detect.nasl");
  script_require_ports("Services/www", 8000);
  script_require_keys("www/barracuda_spamfw");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");

port = get_http_port(default:8000, embedded:TRUE);
get_kb_item_or_exit("www/barracuda_spamfw");

# Try to exploit one of the flaws to read /etc/passwd.
r = http_send_recv3(
  method : "GET",
  port   : port,
  item   : "/cgi-bin/img.pl?" + "f=../etc/passwd",
  exit_on_fail : TRUE
);
res = r[2];

# There's a problem if there's an entry for root.
if (egrep(string:res, pattern:"root:.*:0:[01]:"))
  security_hole(port);
else audit(AUDIT_LISTEN_NOT_VULN, "Barracuda Spam Firewall" , port);

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/82353/barracuda_img_exec.rb.txt
idPACKETSTORM:82353
last seen2016-12-05
published2009-10-30
reporterNicolas Gregoire
sourcehttps://packetstormsecurity.com/files/82353/Barracuda-IMG.PL-Remote-Command-Execution.html
titleBarracuda IMG.PL Remote Command Execution

References