Tag Archives: LFI

EDB-ID-15130 : Barracuda Networks Spam & Virus Firewall LFI extended to more products

The 10/09/2010, Tiago Ferreira, submitted a new HTTP scanner auxiliary module to the Metasploit team, “barracuda_directory_traversal“, how was added in the Metasploit Framework SVN.

Interested by this new scanner, I decided to take a look on the initial linked references (OSVDB 68301 / SA41609 / EDB-ID 15130).

At this time EDB-ID 15130 was the initial reference, with 27/09/2010 as creation date, and the associated 0day only mention “Barracuda Networks  Spam & Virus Firewall version 4.1.1.021” as affected product. Today it is still the case. Secunia Advisory was created the 01/10/2010, and only mentioned the same product as the EDB-ID. OSVDB reference was created the 03/10/2010, and same as the other references only mentioned the same affected product.

I decided to test the vulnerability, but first of all I had to find some vulnerable targets. For this purpose SHODAN was the key for my searches. Just type “barracuda” in the SHODAN search engine and you will find hundreds of results.

Directly with SHODAN result i saw different Barracuda fingerprints :

  • Barracuda Link Balancer
  • Barracuda Load Balancer
  • Barracuda Spam Firewall
  • Barracuda Spam & Virus Firewall
  • etc.

To see the scanner in action I tested, with Metasploit, all IPs of the “Barracuda Spam & Firewall” fingerprint. Evidence are clear, more than 90% of the targets where vulnerable. Intrigued by the others fingerprints, I decided to test the exploit by hand, not with Metasploit, on “normally non vulnerable” products. I was surprised when i saw that these products where also vulnerable to this vulnerability. Decided, then, to test it with Metasploit. But the tool returned me that the products where not vulnerables.

Something was wrong with the Metasploit scanner, and/or something was wrong with the references.

In order to improve Metasploit, a tool I love, i opened an issue for the Metasploit team, and decided to find the real reason on these differences.

Here under is the final word of the story.

ShadowHatesYou submitted the 0day to Exploit DB the 27/09/2010, but 28/09/2010 Barracuda has release a security update for most of they products. This discovery was credited to “Randy Janinda” and “Sanjeev Sinha” by Barracuda. The affected products were :

  • Barracuda IM Firewall 3.4.01.004 and earlier
  • Barracuda Link Balancer 2.1.1.010 and earlier
  • Barracuda Load Balancer 3.3.1.005 and earlier
  • Barracuda Message Archiver 2.2.1.005 and earlier
  • Barracuda Spam & Virus Firewall 4.1.2.006 and earlier
  • Barracuda SSL VPN 1.7.2.004 and earlier
  • Barracuda Web Application Firewall 7.4.0.022 and earlier
  • Barracuda Web Filter 4.3.0.013 and earlier

Just take a look on the day between the 0day and the Barracuda security advisory, is there any relation ship between ShadowHatesYou and the 2 credited guys? Also the initial affected product version was 4.1.1.021, but as described by Barracuda the upper affected version was 4.1.2.006. So ShadowHatesYou wasn’t aware that more products and upper versions where affected.

So after these Metasploit issue updates, OSVDB and Secunia have update they’re references for all Barracuda affected products and versions.

Now, after the extension of this vulnerability to more products, you have, in the wild wild Internet, thousands of Barracuda vulnerable products, how permit to a bad guy to take a complete control on the administration interface (to create firewall rules in order to access to the internal network, to route the internal network to a malicious target, etc, etc). These affected networks could be considered as completely compromised.

Joomla Local File Inclusion exploits attempts under monitoring

As discussed in a previous post, Local File Inclusion (LFI) exploits are increasing. The major vector of this increasing activity is due to Joomla, his daily vulnerabilities and th e integration of LFI dorks into RFI scanners 🙂 We propose you to follow all the Joomla LFI exploits attempts on our Honey Net in real time.

Weekly Joomla Local File Inclusion exploits attempts
Weekly Joomla Local File Inclusion exploits attempts

Monthly Joomla Local File Inclusion exploits attempts
Monthly Joomla Local File Inclusion exploits attempts
Weekly Joomla Local File Inclusion exploits attempts source IPs
Weekly Joomla Local File Inclusion exploits attempts source IPs
Monthly Joomla Local File Inclusion exploits attempts source IPs
Monthly Joomla Local File Inclusion exploits attempts source IPs

Local File Inclusion attempts on the rise

They’re is no new day without a Joomla Local File Inclusion (LFI) vulnerability. Just take a look at Exploit-DB, Inj3ct0r or Hack0wn and you will find thousands of Joomla components vulnerable to this vulnerability.

Since many years, security researcher have write studies on this vulnerability, and describe the different way to exploit them. You can find some good papers about LFI exploitations on Exploit-DB. But since 2010, LFI are coming back in force.

LFI vulnerability doesn’t look like to be dangerous in a first manner, but maybe we have to make a quick recap on the potential impacts to be vulnerable :

  • Exposure of sensitive informations (clear or hashed password, source code, documents leakage, etc.)
  • Exposure of system informations (system informations, users list, runtime informations, etc.)
  • Security bypass (normally inaccessible informations could be acceded…)
  • System access (malicious users could gain access to the system and compromise him)
  • Be involved in a botnet without knowing it
  • etc.

Why Local File Inclusion (LFI) attemps are on the rise ? The answer is very simple, cause Remote File Inclusion (RFI) are stagnating or even declining. Just do a simple research on Exploit-DB for RFI, you will directly see the difference with the LFI search. RFI vulnerabilities are very simple to exploit unlike LFI vulnerabilities. To argument, I propose you to visit our one year RFI HoneyNet statistics, you will see the increasing activity of RFI botnets. But the number of RFI exploits are decreasing continuously since the hype of 2006 and 2007. Compromised hosts by LFI are integrated into RFI botnets.

Despite LFI exploitation fail in 90% of cases (due to the OS, web server or PHP default hardening), if you scan 1000 hosts you can finally compromise 100 of them. LFI compromised hosts are compensating the decrease of RFI compromised hosts by RFI exploits. In such manner, we can see since 2010 apparition of dedicated Joomla LFI dork lists and mutation of traditional RFI scanners to LFI/RFI scanners (LRFI). The 2010 mutation of all traditional RFI scanner is also now to integrate XML RPC and SQL injection scanners, with nice updated dork lists.

We provide you a list of all unique LFI attempts on our HoneyNet for the latest 24 hours. This list will be updated daily and will permit you to follow the new vulnerable web applications.

So just a final word, take care on your /proc/self/environ, and special dedication to Indonesia 🙂 If you are curious, take a look to the Indonesian scene.

Analysis of Joomla wgPicasa component LFI source IPs

In a previous post, we have seen that Joomla wgPicasa component LFI exploit was more used than other LFI exploits. I was interested to see if the source IPs of this particular LFI attack was implicated into other attacks and integrated into bigger botnets.

First of all, since the 15 April 2010, we have 165 different unique source IPs how have attempt to use the Joomla wgPicasa component LFI exploit on our HoneyNet. These source IPs have generate 20 351 events. Here under an afterglow representation of all these IPs with they weight in term of events.

165 source IPs calling SIG 2011067
165 source IPs calling SIG 2011067

Are these source IPs involved in other activities ? Surely yes 🙂 After some crazy SQL queries on our HoneyNet database, we got these results.

  • 45 others exploits where detected from the same source IPs who are exploiting the Joomla wgPicasa component LFI vulnerability.
  • Some of these 45 exploits are targeting others LFI exploits, for examples :
  1. Joomla Component com_ccnewsletter controller
  2. Ideal MooFAQ Joomla Component file_includer.php
  3. rgboard _footer.php skin_path parameter
  4. phpSkelSite TplSuffix parameter
  5. MODx CMS snippet.reflect.php reflect_base
  6. TBmnetCMS index.php content Parameter
  7. etc.
  • Some of these 45 exploits are targeting RFI exploits, for examples :
  1. ProdLer prodler.class.php sPath Parameter
  2. Datalife Engine api.class.php dle_config_api Parameter
  3. SERWeb main_prepend.php functionsdir Parameter
  4. Possible AIOCP cp_html2xhtmlbasic.php
  5. Mambo/Joomla! com_koesubmit Component ‘koesubmit.php’
  6. eFront database.php
  7. etc.
  • Some of these 45 exploits are trying SQL injection, for examples :
  1. MYSQL SELECT CONCAT SQL Injection
  2. SQL Injection Attempt UNION SELECT
  3. SQL Injection Attempt SELECT FROM

Here under an afterglow representation of the interactions between all source IPs and them attached exploits attempts.

All SIGs attached to the 165 SIG 2011067 source IPs
All SIGs attached to the 165 SIG 2011067 source IPs

We can clearly see that most of these source IPs are controlled by Remote File Inclusion botnets, but some of them are standalone and only exploiting the particular Joomla wgPicasa component LFI.