Re: Barracuda Vulnerability: Hardcoded Password [NNL-20060801-01]

["pingywon" <pingywon () hotmail com>]

What is the "purpose" of this password?

I do not see it documented anywhere and not only do I see no way to remove 
it, but I see no reason for it AT ALL

Thank you for both Barracuda posts!

~pingywon MCSE
www.pingywon.com
www.illmob.org
www.freeillwill.com




----- Original Message ----- 
From: <gssincla () nnlsoftware com>
To: <bugtraq () securityfocus com>
Sent: Tuesday, August 01, 2006 5:18 PM
Subject: Barracuda Vulnerability: Hardcoded Password [NNL-20060801-01]


> Title: Barracuda Hardcoded Password Vulnerability
> Severity: High (Sensitive Information Disclosure)
> Date: 01 August 2006
> Version Affected: Barracuda Spam Firewall version 3.3.01.001 to 3.3.03.053
> Discovered by: Greg Sinclair (gssincla () nnlsoftware com)
> Discovered on: 28 May 2006
>
> Overview:
> Barracuda Spam Firewalls (www.barracudanetworks.com) are vulnerable to
> information disclosure which is made possible by a default guest password
>
> Details:
> The Barracuda Spam Firewalls from version 3.3.01.001 to 3.3.02.053 have a 
> hardcoded password for the "guest" account in the Login.pm script. This 
> script is called to validate any user who attempts to login to the 
> barracuda's web interface (typically at http://<deviceIP>:8080 or
> https://<deviceIP>). While the guest account has limited access, the 
> following information can be obtained:
>
> * system configuration including IP accesses, admin IP ACLs
> * email message logs (but not the content of the messages)
> * version information of both spam/antivirus definitions and system 
> firmware version
>
> Used in conjunction with the vulnerability "Barracuda Arbitrary File
> Disclosure" (NNL-20060801-02), the integrity of the system can be 
> compromised. An attacker can use both vulnerabilities to download both
> confidential emails as well as the configuration information (including 
> the admin password).
>
> Additionally, while some accounts such as "admin" are bound by user 
> definable IP ACLs, the guest account is not. This means that sensitive
> information can be disclosed to ANY IP address regardless of the user 
> defined network restrictions.
>
> Proof of Concept:
> Enter the username "guest" into the login page of any open barracuda and 
> the password "bnadmin99"
>
> Recommendations:
> * Never allow your barracuda web interface to be accessible from untrusted 
> networks (especially the Internet)
>
> * Upgrade to version 3.3.0.54 or later
>
>
> Vendor Contact:
> 29 May 2006   - Initial Vendor Contact
> 24 June 2006  - Vendor replies with prospect of fix
> 17 July 2006  - NNL request status update, no reply
> 01 Aug 2006   - NNL releases vuln report, notifies vendor of release