Nmap Development mailing list archives

http-barracuda-dir-traversal.nse

From: Brendan Coles <bcoles () gmail com>
Date: Wed, 8 Jun 2011 14:00:53 +1000

Hi nmap-dev,

Attached is http-barracuda-dir-traversal.nse which is designed to exploit
the Barracuda directory traversal bug, as per the script ideas page on
secwiki.org

It extracts a few details about the device and its services in addition to
the server password. There's tonnes of information available in the
Barracuda config files, including plaintext passwords for all mail accounts.
The configuration files often contain hundreds (if not thousands) of user
accounts so I've left this information out for now.

Feedback is welcomed and appreciated.

description = [[
Attempts to retrieve the configuration settings from the MySQL database
dump on a Barracuda Networks Spam & Virus Firewall device using the
directory traversal vulnerability in the "locale" parameter of
"/cgi-mod/view_help.cgi" or "/cgi-bin/view_help.cgi".

The web administration interface runs on port 8000 by default.
]]

--- Summary
-- Original exploit by ShadowHatesYou <Shadow () SquatThis net>
-- Barracuda Networks Spam & Virus Firewall <= 4.1.1.021 Remote
Configuration Retrieval
-- http://www.exploit-db.com/exploits/15130/
--
-- @usage
-- nmap --script http-barracuda-dir-traversal -p <port> <host>
--
-- @output
-- PORT   STATE SERVICE   REASON
-- 8000/tcp open  http-alt syn-ack
-- | http-barracuda-dir-traversal:
-- | Device: Barracuda Spam Firewall
-- | Version: 4.1.0.0
-- | Hostname: barracuda
-- | Domain: example.com
-- | Timezone: America/Chicago
-- | Language: custom
-- | Password: 123456
-- | Gateway: 192.168.1.1
-- | Primary DNS: 192.168.1.2
-- | Secondary DNS: 192.168.1.3
-- | DNS Cache: No
-- | NTP Enabled: Yes
-- | NTP Server: update01.barracudanetworks.com
-- | SSH Enabled: Yes
-- | BRTS Enabled: No
-- | BRTS Server: fp.bl.barracudanetworks.com
-- | HTTP Disabled: No
-- | HTTP Port: 8000
-- | HTTPS Only: No
-- |_HTTPS Port: 443



Regards,

Brendan Coles
http://itsecuritysolutions.org

Attachment: http-barracuda-dir-traversal.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

http-barracuda-dir-traversal.nse Brendan Coles (Jun 07)
- Re: http-barracuda-dir-traversal.nse Gutek (Jun 08)
  - Re: http-barracuda-dir-traversal.nse Michael Lubinski (Jun 08)
    - Re: http-barracuda-dir-traversal.nse Toni Ruottu (Jun 09)
    - Re: http-barracuda-dir-traversal.nse Patrik Karlsson (Jun 09)
    - Re: http-barracuda-dir-traversal.nse Brendan Coles (Jun 09)
    - Re: http-barracuda-dir-traversal.nse David Fifield (Jun 14)
    - Re: http-barracuda-dir-traversal.nse Brendan Coles (Jun 14)
    - Re: http-barracuda-dir-traversal.nse Paulino Calderon (Jun 28)
    - Re: http-barracuda-dir-traversal.nse Fyodor (Jun 14)
    - Re: http-barracuda-dir-traversal.nse Patrik Karlsson (Jun 19)

(Thread continues...)