SEC Consult Vulnerability Lab Security Advisory < 20130124-1 >
=======================================================================
              title: Unauthenticated setting of Java System Properties
                     authentication bypass
            product: Barracuda SSL VPN
 vulnerable version: < Security Definition 2.0.5
      fixed version: Security Definition 2.0.5
             impact: Critical
           homepage: https://www.barracudanetworks.com/
              found: 2013-01-06
                 by: S. Viehböck
                     SEC Consult Vulnerability Lab
                     https://www.sec-consult.com
=======================================================================

Vendor/product description:
-----------------------------
"Securely connecting remote users to files, applications, and secure
sites - residing behind the firewall - is vital for worker mobility
as well as for business continuity and data loss prevention (DLP).
The Barracuda SSL VPN is a powerful plug-and-play appliance
purpose-built to provide remote users with secure access to internal
network resources. It does this while giving administrators unrivaled
insight and tools for managing remote network access."

URL: https://www.barracudanetworks.com/products/sslvpn


Vulnerability overview/description:
-----------------------------------
1) Unauthenticated setting of Java system properties
Unauthenticated users can set an arbitrary Java system property to an
arbitrary value. Among other attacks (eg. DoS), this allows an
attacker to break the applications security mechanisms. (see 2)

2) Unauthenticated access to critical functions
The vulnerability in 1) can be used to bypass access restrictions
in order to get access to the 'API' functionality. This enables an
unauthenticated attacker to download configuration files and database
dumps. Furthermore the system can be shutdown and new admin passwords
can be set using this functionality without prior authentication!


Proof of concept:
-----------------
URLs and other exploit code have been removed from this advisory. A detailed
advisory will be released within a month including the omitted information.


1) Unauthenticated setting of Java system properties
The following request sets the system property 'foo' to the value 'bar':
<URL removed>
Affected script: setSysProp.jsp


2) Unauthenticated access to critical functions
The following requests disable access restrictions for the 'API'
functionality:

<URLs removed>
Affected script: setSysProp.jsp

Then full API access is available without prior authentication.
Interesting functions are for instance:

* ConfDump
<URL removed>
Full dump of the /home/bvs/code/firmware/current/sslexplorer/conf/
directory.

* SqlDump
<URL removed>
Full dumps of databases. valid options are: config,
explorer_auditing, explorer_configuration and explorer_local.

Note: this function is vulnerable to local file disclosure too
<URL removed>

* Shutdown
<URL removed>
Shutdown/restart of appliance.

* SetSuperUserPassword
Allows setting the passwords of users in the superuser group.

<URL removed>


Vulnerable / tested versions:
-----------------------------
The vulnerability has been verified to exist in Barracuda SSL VPN
version 2.2.2.203, which was the most recent version at the time of 
discovery.


Vendor contact timeline:
------------------------
2013-01-10: Sending advisory and proof of concept exploit via encrypted
            channel.
2013-01-14: Vendor confirms receipt and provides BNSEC IDs.
2013-01-14: Vendor sends listing of reported vulnerabilities and release 
            schedule.
2013-01-21: Conference call - discussing implemented solutions.
2013-01-23: Barracuda Networks releases alert & secdef
2013-01-24: SEC Consult releases coordinated security advisory.


Solution:
---------
Update to Security Definition 2.0.5.


Workaround:
-----------
No workaround available.


Advisory URL:
--------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
www.sec-consult.com


EOF S. Viehböck / @2013