Thursday, January 24, 2013

Barracuda SSH Backdoors

Today i learned of an advisory posted on reddit regarding Barracuda and certain "support" ssh backdoors installed on many of their products. Unfortunately i dont have a Barracuda product to test the specific attack strings on, but i have been able to gather quite a bit of information on it:

Here is the reddit netsec article on it:
http://www.reddit.com/r/netsec/comments/176p7z/critical_ssh_backdoor_in_multiple_barracuda/

Here is the Neohapsis copypasta from SEC-consult:
http://archives.neohapsis.com/archives/fulldisclosure/2013-01/0221.html

Here is the original advisory:
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130124-0_Barracuda_Appliances_Backdoor_wo_poc_v10.txt

Barracuda released several "tech alerts" about this vuln:
https://www.barracudanetworks.com/support/techalerts

Here is a full disclosure post in 2011 where someone suspected Barracuda had a backdoor (for lolz)
http://seclists.org/fulldisclosure/2011/Apr/460

Here is a blog post from 2009 (seriously) of a guy that got root access from the console and revealed overlapping details about the advisory:
http://blog.shiraj.com/2009/09/barracuda-spam-firewall-root-password/

Summary of the situation:
The following products:
     Barracuda Spam and Virus Firewall
     Barracuda Web Filter
     Barracuda Message Archiver
     Barracuda Web Application Firewall
     Barracuda Link Balancer
     Barracuda Load Balancer
     Barracuda SSL VPN
     (all including their respective virtual "Vx" versions)
vulnerable version: all versions less than Security Definition 2.0.5

All have preinstalled (undocumented) support accounts with SSH access in /etc/passwd.
The "product" support account drops you to shell without requiring SSH keys. Which also has access to the MySQL database that can modify the list of users who can log in...

Only hosts coming from certain IPs can access this ssh daemon:
192.168.200.0/24
192.168.10.0/24
205.158.110.0/24
216.129.105.0/24

There are certain reports that the "product" user requires no password.

If anyone can get me the user hashes, i can run it through my (pretty big/extensive) wordlists with rulesets.
Posted by
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)