Script http-barracuda-dir-traversal
Script types:
portrule
Categories:
intrusive, exploit, auth
Download: https://svn.nmap.org/nmap/scripts/http-barracuda-dir-traversal.nse
Script Summary
Attempts to retrieve the configuration settings from a Barracuda Networks Spam & Virus Firewall device using the directory traversal vulnerability described at http://seclists.org/fulldisclosure/2010/Oct/119.
This vulnerability is in the "locale" parameter of "/cgi-mod/view_help.cgi" or "/cgi-bin/view_help.cgi", allowing the information to be retrieved from a MySQL database dump. The web administration interface runs on port 8000 by default.
Barracuda Networks Spam & Virus Firewall <= 4.1.1.021 Remote Configuration Retrieval Original exploit by ShadowHatesYou <Shadow@SquatThis.net> For more information, see: http://seclists.org/fulldisclosure/2010/Oct/119 http://www.exploit-db.com/exploits/15130/
Script Arguments
- http-max-cache-size
Set max cache size. The default value is 100,000. Barracuda config files vary in size mostly due to the number of users. Using a max cache size of 5,000,000 bytes should be enough for config files containing up to 5,000 users.
- slaxml.debug
See the documentation for the slaxml library.
- http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent
See the documentation for the http library.
- smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername
See the documentation for the smbauth library.
Example Usage
nmap --script http-barracuda-dir-traversal --script-args http-max-cache-size=5000000 -p <port> <host>
Script Output
PORT STATE SERVICE REASON 8000/tcp open http syn-ack Barracuda Spam firewall http config | http-barracuda-dir-traversal: | Users: 256 | Device: Barracuda Spam Firewall | Version: 4.1.0.0 | Hostname: barracuda | Domain: example.com | Timezone: America/Chicago | Language: en_US | Password: 123456 | API Password: 123456 | MTA SASL LDAP Password: 123456 | Gateway: 192.168.1.1 | Primary DNS: 192.168.1.2 | Secondary DNS: 192.168.1.3 | DNS Cache: No | Backup Server: ftp.example.com | Backup Port: 21 | Backup Type: ftp | Backup Username: user | Backup Password: 123456 | NTP Enabled: Yes | NTP Server: update01.barracudanetworks.com | SSH Enabled: Yes | BRTS Enabled: No | BRTS Server: fp.bl.barracudanetworks.com | HTTP Port: 8000 | HTTP Disabled: No | HTTPS Port: 443 | HTTPS Only: No | | Vulnerable to directory traversal vulnerability: |_http://seclists.org/fulldisclosure/2010/Oct/119
Requires
Author:
License: Same as Nmap--See https://nmap.org/book/man-legal.html