The 10/09/2010, Tiago Ferreira, submitted a new HTTP scanner auxiliary module to the Metasploit team, “barracuda_directory_traversal“, how was added in the Metasploit Framework SVN.

Interested by this new scanner, I decided to take a look on the initial linked references (OSVDB 68301 / SA41609 / EDB-ID 15130).

At this time EDB-ID 15130 was the initial reference, with 27/09/2010 as creation date, and the associated 0day only mention “Barracuda Networks  Spam & Virus Firewall version 4.1.1.021” as affected product. Today it is still the case. Secunia Advisory was created the 01/10/2010, and only mentioned the same product as the EDB-ID. OSVDB reference was created the 03/10/2010, and same as the other references only mentioned the same affected product.

I decided to test the vulnerability, but first of all I had to find some vulnerable targets. For this purpose SHODAN was the key for my searches. Just type “barracuda” in the SHODAN search engine and you will find hundreds of results.

Directly with SHODAN result i saw different Barracuda fingerprints :

  • Barracuda Link Balancer
  • Barracuda Load Balancer
  • Barracuda Spam Firewall
  • Barracuda Spam & Virus Firewall
  • etc.

To see the scanner in action I tested, with Metasploit, all IPs of the “Barracuda Spam & Firewall” fingerprint. Evidence are clear, more than 90% of the targets where vulnerable. Intrigued by the others fingerprints, I decided to test the exploit by hand, not with Metasploit, on “normally non vulnerable” products. I was surprised when i saw that these products where also vulnerable to this vulnerability. Decided, then, to test it with Metasploit. But the tool returned me that the products where not vulnerables.

Something was wrong with the Metasploit scanner, and/or something was wrong with the references.

In order to improve Metasploit, a tool I love, i opened an issue for the Metasploit team, and decided to find the real reason on these differences.

Here under is the final word of the story.

ShadowHatesYou submitted the 0day to Exploit DB the 27/09/2010, but 28/09/2010 Barracuda has release a security update for most of they products. This discovery was credited to “Randy Janinda” and “Sanjeev Sinha” by Barracuda. The affected products were :

  • Barracuda IM Firewall 3.4.01.004 and earlier
  • Barracuda Link Balancer 2.1.1.010 and earlier
  • Barracuda Load Balancer 3.3.1.005 and earlier
  • Barracuda Message Archiver 2.2.1.005 and earlier
  • Barracuda Spam & Virus Firewall 4.1.2.006 and earlier
  • Barracuda SSL VPN 1.7.2.004 and earlier
  • Barracuda Web Application Firewall 7.4.0.022 and earlier
  • Barracuda Web Filter 4.3.0.013 and earlier

Just take a look on the day between the 0day and the Barracuda security advisory, is there any relation ship between ShadowHatesYou and the 2 credited guys? Also the initial affected product version was 4.1.1.021, but as described by Barracuda the upper affected version was 4.1.2.006. So ShadowHatesYou wasn’t aware that more products and upper versions where affected.

So after these Metasploit issue updates, OSVDB and Secunia have update they’re references for all Barracuda affected products and versions.

Now, after the extension of this vulnerability to more products, you have, in the wild wild Internet, thousands of Barracuda vulnerable products, how permit to a bad guy to take a complete control on the administration interface (to create firewall rules in order to access to the internal network, to route the internal network to a malicious target, etc, etc). These affected networks could be considered as completely compromised.