It's today's "news" about backdoors found in multiple Barracuda gears. Basically, Barracuda appliances have multiple hardcoded system accounts and firewall rules specifically designed to allow remote assistance. If you want more gossip, you can read about it on KrebsOnSecurity, The Register or The H Online.





A new old story

: According to the original advisory, the bug was discovered on 2012-11-20 by Stefan Viehböck . Although Stefan did pretty interesting research in the past (e.g. WiFi WPS design bug ), the Barracuda backdoor is really not a new story. Not only this issue was known, but it was even disclosed and discussed several times

Digital self-defense

Patching your virtual appliance

$ mkdir /mnt/temp

$ mount /dev/sda9 /mnt/temp

$ cp rootme.sh /mnt/temp/

$ chmod 777 /mnt/temp/rootme.sh

$ /mtn/temp/rootme.sh

$ umount /mnt/temp

$ reboot





irmw

rootme.sh is simply used to copy rootme.cgi to the web console webroot in order to facilitate the rooting process

is simply used to copy to the web console webroot in order to facilitate the rooting process rootme.cgi is used to escalate privileges from the Apache user (nobody) to root, change the root password and the firewall rules in order to allow external access

is used to escalate privileges from the Apache user (nobody) to root, change the root password and the firewall rules in order to allow external access Privileges escalation is possible due to an insecure sudoers configuration. Again, nothing fancy. Please note that I have reported this misconfiguration to Barracuda on 09/12/2011.

$ sudo mv /bin/ping /tmp/ping.old

$ sudo ln -s /bin/bash /bin/ping

$ sudo ping -c whoami







Although it's natural to be surprised that such a critical issue has been underestimated foryears, we should rather use this opportunity to stop these bad practices. Unfortunately, it's not just Barracuda - many vendors have adopted similar poorly-designed solutions for remote assistance. As customers, we should always evaluate products, pretend more accountability and transparency.In 2011, while helping a friend during the setup of his network, I came across the advisory from 2004 and I started investigating. After having confirmed the issue, I decided to patch the virtual appliance on my own. If you think that the mitigation provided by Barracuda in the security definition 2.0.5 is not adequate for your environment, keep reading. Hopefully, Barracuda will reconsider the situation and you won't need to manually patch your device.Removing system accounts and changingconfiguration require privileged shell access. As the original techniques for rooting the device are now deprecated (at least in the device I had), I started looking for other ways to get a root shell. Soon, I realized that it's possible to abuse the recovery partition in order to include arbitrary resources. This technique requires "physical" access to the appliance and multiple reboots thus I consider it better than disclosing the root password and suggest you to abuse the backdoor in order to patch the device.Rooting the Barracuda WebApp Firewall requires a multi steps process:Boot the Barracuda virtual appliance with a standard Linux distribution (e.g. booting from the virtual CD) and mount the recovery partition () in order to copy the patcher script ().can be downloaded here From the web console, revert the fare to the factory installed version () and reboot again the appliance. If the factorybutton is not available (it's gray and cannot be selected), you need to update the device to the newest firmware and repeat the entire process.VisitAfter that, you can connect via SSH to the device using a temporary root password. Removing the hardcoded system accounts and changing iptables is left as exercise.A few more technical details: