Document Title: =============== Barracuda Networks MDM - Persistent Mail Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1315 Release Date: ============= 2016-02-04 Vulnerability Laboratory ID (VL-ID): ==================================== 1315 Common Vulnerability Scoring System: ==================================== 3 Product & Service Introduction: =============================== Use Barracuda Mobile Device Manager to manage mobile devices from the cloud, and deploy applications and resources to mobile devices. The Barracuda Mobile Device Manager Service provides a web interface for the administrator to configure the service, along with and the Barracuda Mobile Companion application for end users, to provide complete Bring Your Own Device (BYOD) security and assigned device scenarios. Protect and apply secure browsing policies for groups of students, employees, and guests who are using their personal mobile devices inside or outside of your network, or manage business or institutionally owned devices within your network. From here you can easily manage mobile phones and tablets on your network while providing your users the freedom to use their device of choice. To get started enrolling devices follow one of the methods listed in the Device Enrollment section below. Please note that in order to enroll iOS devices you must first configure an Apple Push Certificate. For additional documentation on the Barracuda MDM service, see the Barracuda TechLibrary. ( Copy of the Homepage: https://techlib.barracuda.com/mdm ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered a persistent vulnerability in the Barracuda Networks Mobile Device Manager appliance web-application. Vulnerability Disclosure Timeline: ================================== 2016-02-04: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Barracuda Networks Product: Mobile Application Manager 2014 Q3 Exploitation Technique: ======================= Remote Severity Level: =============== Low Technical Details & Description: ================================ A persistent mail encoding web vulnerability has been discovered in the official Barracuda Networks Mobile Device Manager web-application. The vulnerability allows remote attackers to inject own malicious script codes through the application-side to outgoing barracuda mdm emails. The vulnerability is located in the `Include Shared Secret` function and the `message body` of the `Mobile Devices > Settings > Enrollment` module. Local low privileged user accounts can inject own script code as payloads to the Shared Secret input field on top of the module. After the save the attacker scrolls down to the `Include Shared Secret` function and the `message body` input. First the attacker injects the same payload to the message body and after it he prepares to activate the `Include Shared Secret`. After the activation of the shared secret function the code of the input above will be included to the message body context. Now the attacker includes the mail of a barracuda user to the `Enrollment URL To:` (/enroll/x5ZFhPxdkf) To: and clicks send to exploit. The malicious context in the mail will be send through the secure form to the receiver with the persistent code that executes in the message body. The attack vector of the issue is located on the application-side and the request method to inject is POST. In the request itself is at the end a X-XSS-Protection included that covers the session. In case of the issue the execution takes place outside in the mail context but the xss protection mechanism allows to include and save the information ago which allows a local attacker to exploit the bug. The security risk of the persistent mail encoding web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.0. Exploitation of the application-side vulnerability requires a low privileged barracuda mobile device manager account with restricted access and low or medium user interaction. Successful exploitation of the vulnerability results in persistent phishing , persistent session hijacking and persistent mail context manipulation. Request Method(s): [+] POST Vulnerable Module(s): [+] Mobile Devices > Settings > Enrollment Vulnerable Function(s): [+] Include Shared Secret (top) Vulnerable Input(s): [+] Shared Secret (bottom) [+] message body Affected Module(s): [+] Enrollment Email Notification Context (Invite) Proof of Concept (PoC): ======================= The persistent web vulnerability can be exploited by remote attackers with low privileged application user account and low or medium user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. --- PoC Session Logs [POST] (enrollment/updatesharedsecret) --- 13:28:19.988[727ms][total 727ms] Status: 200[OK] POST https://mdm.[SERVER].com/enrollment/updatesharedsecret?_=1409830099976 Load Flags[LOAD_BYPASS_CACHE LOAD_BACKGROUND ] Größe des Inhalts[91] Mime Type[text/html] Request Header: Host[mdm.[SERVER].com] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0] Accept[application/json, text/javascript, */*; q=0.01] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Content-Type[application/x-www-form-urlencoded; charset=UTF-8] X-Requested-With[XMLHttpRequest] Referer[https://mdm.[SERVER].com/enrollment] Content-Length[51] Cookie[CLOUD_LOCALE=en_US; cloud_session=ksfd3hb8fl4l5cl3jve131r6d7; current_account=5584599; CLOUD_AT=GL-a9ac8a1130e58f01dbb9bbef27b0e446897d1ed5-d7e765f780af7c2d042f557e610f89ec; __utma=72726272.1496886540.1409824732.1409824732.1409824732.1; __utmb=72726272.52.10.1409824732; __utmc=72726272; __utmz=72726272.1409824732.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=lr9asou2hjmtc790upmpmvb0c1] Connection[keep-alive] Pragma[no-cache] Cache-Control[no-cache] POST-Daten: is_ajax[1] ajax_response_format[json] secret[[PERSISTENT INJECTED SCRIPT CODE THROUGH INCLUDE SHARE SECRET FUNCTION]] Response Header: Date[Thu, 04 Sep 2014 11:28:56 GMT] Expires[Thu, 19 Nov 1981 08:52:00 GMT] Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0] Pragma[no-cache] Vary[Accept-Encoding,User-Agent] Content-Encoding[gzip] X-Frame-Options[SAMEORIGIN, SAMEORIGIN] X-XSS-Protection[1; mode=block] Content-Length[91] Keep-Alive[timeout=15, max=100] Connection[Keep-Alive] Content-Type[text/html; charset=utf-8] - 13:28:20.768[390ms][total 1897ms] Status: 200[OK] GET https://mdm.[SERVER].com/enrollment Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[6640] Mime Type[text/html] Request Header: Host[mdm.[SERVER].com] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Cookie[CLOUD_LOCALE=en_US; cloud_session=ksfd3hb8fl4l5cl3jve131r6d7; current_account=5584599; CLOUD_AT=GL-a9ac8a1130e58f01dbb9bbef27b0e446897d1ed5-d7e765f780af7c2d042f557e610f89ec; __utma=72726272.1496886540.1409824732.1409824732.1409824732.1; __utmb=72726272.52.10.1409824732; __utmc=72726272; __utmz=72726272.1409824732.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=lr9asou2hjmtc790upmpmvb0c1] Connection[keep-alive] Cache-Control[max-age=0] Response Header: Date[Thu, 04 Sep 2014 11:28:56 GMT] Expires[Thu, 19 Nov 1981 08:52:00 GMT] Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0] Pragma[no-cache] Vary[Accept-Encoding,User-Agent] Content-Encoding[gzip] X-Frame-Options[SAMEORIGIN, SAMEORIGIN] X-XSS-Protection[1; mode=block] Content-Length[6640] Keep-Alive[timeout=15, max=99] Connection[Keep-Alive] Content-Type[text/html; charset=utf-8] - 13:28:51.774[643ms][total 643ms] Status: 200[OK] POST https://mdm.[SERVER].com/enrollment/enrollemail?_=1409830131753 Load Flags[LOAD_BYPASS_CACHE LOAD_BACKGROUND ] Größe des Inhalts[108] Mime Type[text/html] Request Header: Host[mdm.[SERVER].com] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0] Accept[application/json, text/javascript, */*; q=0.01] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Content-Type[application/x-www-form-urlencoded; charset=UTF-8] X-Requested-With[XMLHttpRequest] Referer[https://mdm.[SERVER].com/enrollment] Content-Length[201] Cookie[CLOUD_LOCALE=en_US; cloud_session=ksfd3hb8fl4l5cl3jve131r6d7; current_account=5584599; CLOUD_AT=GL-a9ac8a1130e58f01dbb9bbef27b0e446897d1ed5-d7e765f780af7c2d042f557e610f89ec; __utma=72726272.1496886540.1409824732.1409824732.1409824732.1; __utmb=72726272.53.10.1409824732; __utmc=72726272; __utmz=72726272.1409824732.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=lr9asou2hjmtc790upmpmvb0c1] Connection[keep-alive] Pragma[no-cache] Cache-Control[no-cache] POST-Daten: is_ajax[1] ajax_response_format[json] email%5Bemail%5D[bkm%40evolution-sec.com] email%5Bshow_secret%5D[true] email%5Bmessage%5D[Please+follow+the+invitation+link+and+use+the+shared+secret%3A+***+[PERSISTENT INJECTED SCRIPT CODE THROUGH INCLUDE SHARE SECRET FUNCTION]] Response Header: Date[Thu, 04 Sep 2014 11:29:27 GMT] Expires[Thu, 19 Nov 1981 08:52:00 GMT] Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0] Pragma[no-cache] Vary[Accept-Encoding,User-Agent] Content-Encoding[gzip] X-Frame-Options[SAMEORIGIN, SAMEORIGIN] X-XSS-Protection[1; mode=block] Content-Length[108] Keep-Alive[timeout=15, max=100] Connection[Keep-Alive] Content-Type[text/html; charset=utf-8] Solution - Fix & Patch: ======================= The issue can be patched by a secure restriction of the vulnerable share secret input on top of the application. Restrict and filter also the message body context. Parse and encode the included context that runs through the both function thats leads to the execution in the mail body context. Note: The barracuda networks develoeper team patched the vulnerability during the verification procedure of the issue. Security Risk: ============== The security risk of the mail encoding web vulnerability in the enrollment function is estimated as medium. (CVSS 3.0) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (research@vulnerability-lab.com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: dev.vulnerability-db.com - forum.vulnerability-db.com - magazine.vulnerability-db.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2016 | Vulnerability Laboratory [Evolution Security]