Document Title:
===============
Barracuda Networks Backup - Persistent Web Vulnerability


Date:
=====
2014-02-25


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=784

BARRACUDA NETWORK SECURITY ID: BNSEC-885


VL-ID:
=====
784


Common Vulnerability Scoring System:
====================================
3.5


Introduction:
=============
Barracuda Backup Service is a complete and affordable data backup solution. The Barracuda Backup 
Server provides a full local data backup and is combined with a storage subscription to replicate 
data to two offsite locations. This approach provides the best of both worlds - onsite backups for 
fast restore times and secure, offsite storage for disaster recovery. Block level deduplication is 
applied inline to reduce traditional backup storage requirements by 20 to 50 times while also 
reducing backup windows and bandwidth requirements. Cloud Storage with Deduplication

Barracuda Backup Subscription plans provide diverse offsite storage at affordable monthly fees that 
scale to meet increasing data requirements.

    * Secure backup to two geo-separate data centers
    * Deduplicated efficient backup storage
    * Redundant disk-based storage
    * Best-of-breed data retention policies
    * Web interface multi-location management
    * Restore by Web, FTP and Windows software

(Copy of the Vendor Homepage: http://www.barracudanetworks.com/ns/products/backup_overview.php)


Abstract:
=========
The Vulnerability Laboratory Research Team discovered a persistent web vulnerability in the official Barracuda Networks Backup appliance web-application.


Report-Timeline:
================
2013-12-02:	Researcher Notification & Coordination (Benjamin Kunz Mejri)
2013-12-04:	Vendor Notification (Barracuda Networks Security Team)
2013-12-08:	Vendor Response/Feedback (Barracuda Networks Security Team)
2014-02-17:	Vendor Fix/Patch (Barracuda Networks Developer Team)
2014-02-26:	Public Disclosure (Vulnerability Laboratory)


Status:
========
Published


Exploitation-Technique:
=======================
Remote


Severity:
=========
Medium


Details:
========
A persistent web vulnerability has been discovered in the official Barracuda Networks Backup appliance web-application.
The bugs allows remote attackers to inject own malicious script code on the application-side (persistent) of the service.

The persistent vulnerability is located in the `remote_host` value of the `Extern Backup` module. Remote attackers are able 
to inject via POST method request own malcious script codes as remote_host. The result is the persistent (application-side) 
execution out in the vulnerable remote_host list module. The attack vector is persistent on the application-side and the 
request method to inject is POST. The security risk of the persistent input validation web vulnerability is estimated as 
medium with a cvss (common vulnerability scoring system) count of 3.5(+)|(-)3.6.

Exploitation of the persistent web vulnerability requires low user interaction and a low privileged web-application appliance 
user account. Successful exploitation of the vulnerability results in persistent session hijacking (admin/auditor), persistent 
phishing (application-side), persistent external redirect and persistent manipulation of affected or connected vulnerable modules.

Request Method(s):
				[+] POST

Vulnerable Section(s):
				[+] Jetz Sichern

Vulnerable Module(s):
				[+] Extern Backup > Ziel hinzufügen (Add Target) - Listing 

Vulnerable Parameter(s):
				[+] remote_host (Exception-Handling) - Error (Invalid)


Proof of Concept:
=================
The persistent input validation vulnerability can be exploited by remote attacker with low privileged application user account and 
low required user interaction. For demonstration or reproduce ...

Review: Jetz Sichern > Extern Backup > Ziel hinzufügen > [remote_host] > Listing 

<div class="fieldGroupInfo">You can optionally choose a Backup Server from your account to load the required info automatically, 
or enter it manually.</div>

<div class="fieldGroupError"></div>
</div>
<div class="replication_wrapper">
<div class="fieldGroup  statusError"><label class="ultraform_label">Ziel-IP-Adresse:</label>
<span><div class="alba-placeholder" style="position: absolute; background: none repeat scroll 0% 0% transparent; 
border-color: transparent; border-style: solid; height: 17px; width: 241px; padding: 2px 3px; font-size: 13px; font-family: 
Arial,'Liberation Sans',FreeSans,sans-serif; font-weight: 400; font-style: normal; letter-spacing: normal; line-height: 16px; 
text-align: start; text-decoration: none; border-width: 1px; vertical-align: middle; cursor: text; overflow: hidden; text-overflow: 
ellipsis; white-space: nowrap; -moz-user-select: none; color: rgba(0, 0, 0, 0.35); top: 79px; left: 268px; display: none;">
Ziel-Hostname oder IP-Adresse</div><input _placeholder="Ziel-Hostname oder IP-Adresse" size="35" 
name="remote_host" value="">"<iframe src=a>%20%20%20%20"><[PERSISTENT INJECTED SCRIPT CODE!];) <" content_source="" 
id="remote_host" type="text">
</span><span class="fieldGroupStatus"> </span>
<div class="fieldGroupInfo">Geben Sie die IP-Adresse oder den Hostnamen des Ziel-Backup-Servers ein. Die Adresse muss von diesem Backup 
Server aus erreichbar sein. Alternative Portnummern können angegeben werden. Beispiel: 192.168.1.2:5001</div>
<div class="fieldGroupError">Sie haben keine Erlaubnis zum Hinzufügen oder Editieren von Ziel-Backup-Servern.</div>
</div>


Solution:
=========
The vulnerability can be patched by a secure encode and parse of the remote_host value in the `Extern Backup` module of the `Ziel hinzufügen` function.
Restrict the remote_host input fields and filter the POST method request after the regular mask validation to prevent script code injection attacks.


Risk:
=====
The security risk of the persistent web vulnerability is estimated as medium because of  the location in the remote_host exception-handling.


Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either 
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers 
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even 
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation 
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break 
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       		- www.evolution-sec.com
Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       		- admin@evolution-sec.com
Section:    dev.vulnerability-db.com	 	- forum.vulnerability-db.com 		       		- magazine.vulnerability-db.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       		- youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   		- vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php  	- vulnerability-lab.com/list-of-bug-bounty-programs.php	- vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

				Copyright © 2014 | Vulnerability Laboratory [Evolution Security]