Script http-barracuda-dir-traversal

Script types: portrule
Categories: intrusive, exploit, auth
Download: https://svn.nmap.org/nmap/scripts/http-barracuda-dir-traversal.nse

Script Summary

Attempts to retrieve the configuration settings from a Barracuda Networks Spam & Virus Firewall device using the directory traversal vulnerability described at http://seclists.org/fulldisclosure/2010/Oct/119.

This vulnerability is in the "locale" parameter of "/cgi-mod/view_help.cgi" or "/cgi-bin/view_help.cgi", allowing the information to be retrieved from a MySQL database dump. The web administration interface runs on port 8000 by default.

Barracuda Networks Spam & Virus Firewall <= 4.1.1.021 Remote Configuration Retrieval Original exploit by ShadowHatesYou <Shadow@SquatThis.net> For more information, see: http://seclists.org/fulldisclosure/2010/Oct/119 http://www.exploit-db.com/exploits/15130/

Script Arguments

http-max-cache-size

Set max cache size. The default value is 100,000. Barracuda config files vary in size mostly due to the number of users. Using a max cache size of 5,000,000 bytes should be enough for config files containing up to 5,000 users.

slaxml.debug

See the documentation for the slaxml library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

nmap --script http-barracuda-dir-traversal --script-args http-max-cache-size=5000000 -p <port> <host>

Script Output

PORT   STATE SERVICE   REASON
8000/tcp open  http    syn-ack Barracuda Spam firewall http config
| http-barracuda-dir-traversal:
| Users: 256
| Device: Barracuda Spam Firewall
| Version: 4.1.0.0
| Hostname: barracuda
| Domain: example.com
| Timezone: America/Chicago
| Language: en_US
| Password: 123456
| API Password: 123456
| MTA SASL LDAP Password: 123456
| Gateway: 192.168.1.1
| Primary DNS: 192.168.1.2
| Secondary DNS: 192.168.1.3
| DNS Cache: No
| Backup Server: ftp.example.com
| Backup Port: 21
| Backup Type: ftp
| Backup Username: user
| Backup Password: 123456
| NTP Enabled: Yes
| NTP Server: update01.barracudanetworks.com
| SSH Enabled: Yes
| BRTS Enabled: No
| BRTS Server: fp.bl.barracudanetworks.com
| HTTP Port: 8000
| HTTP Disabled: No
| HTTPS Port: 443
| HTTPS Only: No
|
| Vulnerable to directory traversal vulnerability:
|_http://seclists.org/fulldisclosure/2010/Oct/119

Requires

• http
• shortport
• stdnse
• string
• table

---

Author:

• Brendan Coles

License: Same as Nmap--See https://nmap.org/book/man-legal.html