Unauthenticated setting of Java System Properties

SEC Consult Vulnerability Lab Security Advisory < 20130124-1 >

=======================================================================

title: Unauthenticated setting of Java System Properties

authentication bypass

product: Barracuda SSL VPN

vulnerable version: < Security Definition 2.0.5

fixed version: Security Definition 2.0.5

impact: Critical

homepage: www.barracudanetworks.com

found: 2013-01-06

by: S. Viehböck

SEC Consult Vulnerability Lab

www.sec-consult.com

=======================================================================

Vendor/product description:

-----------------------------

"Securely connecting remote users to files, applications, and secure

sites - residing behind the firewall - is vital for worker mobility

as well as for business continuity and data loss prevention (DLP).

The Barracuda SSL VPN is a powerful plug-and-play appliance

purpose-built to provide remote users with secure access to internal

network resources. It does this while giving administrators unrivaled

insight and tools for managing remote network access."

URL: www.barracudanetworks.com/products/sslvpn

 

Vulnerability overview/description:

-----------------------------------

1) Unauthenticated setting of Java system properties

Unauthenticated users can set an arbitrary Java system property to an

arbitrary value. Among other attacks (eg. DoS), this allows an

attacker to break the applications security mechanisms. (see 2)

2) Unauthenticated access to critical functions

The vulnerability in 1) can be used to bypass access restrictions

in order to get access to the 'API' functionality. This enables an

unauthenticated attacker to download configuration files and database

dumps. Furthermore the system can be shutdown and new admin passwords

can be set using this functionality without prior authentication!

 

Proof of concept:

-----------------

URLs and other exploit code have been removed from this advisory. A detailed

advisory will be released within a month including the omitted information.

 

1) Unauthenticated setting of Java system properties

The following request sets the system property 'foo' to the value 'bar':

<URL removed>

Affected script: setSysProp.jsp

 

2) Unauthenticated access to critical functions

The following requests disable access restrictions for the 'API'

functionality:

<URLs removed>

Affected script: setSysProp.jsp

Then full API access is available without prior authentication.

Interesting functions are for instance:

* ConfDump

<URL removed>

Full dump of the /home/bvs/code/firmware/current/sslexplorer/conf/

directory.

* SqlDump

<URL removed>

Full dumps of databases. valid options are: config,

explorer_auditing, explorer_configuration and explorer_local.

Note: this function is vulnerable to local file disclosure too

<URL removed>

* Shutdown

<URL removed>

Shutdown/restart of appliance.

* SetSuperUserPassword

Allows setting the passwords of users in the superuser group.

<URL removed>

 

Vulnerable / tested versions:

-----------------------------

The vulnerability has been verified to exist in Barracuda SSL VPN

version 2.2.2.203, which was the most recent version at the time of

discovery.

 

Vendor contact timeline:

------------------------

2013-01-10: Sending advisory and proof of concept exploit via encrypted

channel.

2013-01-14: Vendor confirms receipt and provides BNSEC IDs.

2013-01-14: Vendor sends listing of reported vulnerabilities and release

schedule.

2013-01-21: Conference call - discussing implemented solutions.

2013-01-23: Barracuda Networks releases alert & secdef

2013-01-24: SEC Consult releases coordinated security advisory.

 

Solution:

---------

Update to Security Definition 2.0.5.

 

Workaround:

-----------

No workaround available.

 

Advisory URL:

--------------

www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Unternehmensberatung GmbH

Office Vienna

Mooslackengasse 17

A-1190 Vienna

Austria

Tel.: +43 / 1 / 890 30 43 - 0

Fax.: +43 / 1 / 890 30 43 - 25

Mail: research at sec-consult dot com

www.sec-consult.com

 

EOF S. Viehböck / @2013