Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Network Appliances :: c07-1181.htm

Barracuda Convert-UUlib library buffer overflow leads to remote compromise
Barracuda Convert-UUlib library buffer overflow leads to remote compromise
Barracuda Convert-UUlib library buffer overflow leads to remote compromise

Topic:                  Barracuda Convert-UUlib library buffer
                        overflow leads to remote compromise

Announced:              2006-12-05
Product:                Barracuda Spam Firewall
Impact:                 Remote shell access
Affected product:       Barracuda Spam Firewall with firmware <
               AND virus definition < 2.0.325
Credits:                Jean-S=E9bastien Guay-Leroux
CVE ID:                 CVE-2005-1349


The Barracuda Spam Firewall is an integrated hardware and software
solution for complete protection of your email server. It provides a
powerful, easy to use, and affordable solution to eliminating spam and
virus from your organization by providing the following protection:

 * Anti-spam
 * Anti-virus
 * Anti-spoofing
 * Anti-phishing
 * Anti-spyware (Attachments)
 * Denial of Service


In 2005, Mark Martinec and Robert Lewis found a flaw in the Convert-
UUlib library.  Few details were published regarding this flaw.

After some research, I found that the flaw was in the part of the code
where BinHex files were getting parsed.  By supplying an invalid size
for the resource fork or data fork in a BinHex's file header, it is
possible to create a heap overflow.

By taking advantage of the sequentials calls to free(), it's possible
to overwrite more than 4 bytes.  In fact, we can write a jmpcode in
memory that will jump to one of our registers containing the location
of our shellcode.  By using this technique, the exploit will be much
more reliable.  You will only need to supply a return location address
to the exploit code.

You do NOT need to have remote administration access (on port 8000)
for successfull exploitation.

For further informations about the details of the bugs, check the
exploit code.


Gain shell access to the remote Barracuda Spam Firewall.


Using the PIRANA framework, available at , 
it is possible to test the Barracuda Spam Firewall against the
Convert-UUlib vulnerability.

The version 0.3.1 of the PIRANA framework incorporates a new module to
exploit the Convert-UUlib library bug.  It contains three hardcoded
offsets that should reliably exploit every Barracuda Spam Firewall
with a firmware below and virus definition below 2.0.325.

By calling PIRANA the way it is described below, you will get a TCP
connect back shell on IP address and port 1234:

perl -e 5 -h -a postmaster -s 0 \
-l -p 1234


This affects firmware releases before versions  This is no
longer an issue with Barracuda's customers with current Energize
Updates, running virus definition 2.0.325, released Nov. 29, 2006.  It
is recommended that Barracuda's customers upgrade to the latest
generally available release.


Mark Martinec and Robert Lewis found the original flaw in Convert-

Jean-S=E9bastien Guay-Leroux conducted further research on the bug and
produced an exploitation plugin for the PIRANA framework.



2005-04-26  : Bug is disclosed by Mark Martinec and Robert Lewis.
2006-08-??  : Convert-UUlib module exploit written for PIRANA.
2006-11-28  : Barracuda Networks is notified about the problem.
2006-11-28  : Barracuda Networks acknowledged the problem.
2006-11-29  : Barracuda Networks published a fix.
2006-12-05  : Advisory is disclosed to the public.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2016 AOH