CVE-2005-2847
published 2005-09-08CVE-2005-2847: img.pl in Barracuda Spam Firewall running firmware 3.1.16 and 3.1.17 allows remote attackers to execute arbitrary commands via shell metacharacters in the f…
PriorityP272high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
53.37%
98.9th percentile
img.pl in Barracuda Spam Firewall running firmware 3.1.16 and 3.1.17 allows remote attackers to execute arbitrary commands via shell metacharacters in the f parameter.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| barracuda_networks | barracuda_spam_firewall | — | — |
| barracuda_networks | barracuda_spam_firewall | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect path traversal attempts against /cgi-bin/img.pl via the 'f' parameter containing '../' sequences or URL-encoded equivalents (%2e%2e) targeting /etc/hosts or /bin/sh. ↗
- →Detect shell metacharacter injection in the 'f' parameter of img.pl, specifically pipe characters ('|') combined with shell command strings such as '/bin/sh -c'. ↗
- →Exploit check requests use the 'f' parameter with repeated '../' (8 times) to traverse to /etc/hosts; a 200 response containing 'localhost' or '127.0.0.1' confirms vulnerability. ↗
- →Command output from the server is delimited by the string 'YYY'; monitor HTTP responses from /cgi-bin/img.pl containing 'YYY' as a sign of successful exploitation. ↗
- →Requests to port 8000 targeting /cgi-bin/img.pl with traversal or shell metacharacters in the 'f' GET parameter should be flagged; default exploit port is 8000. ↗
- ·Vulnerable firmware versions are 3.1.16 and 3.1.17; version 3.1.18 and later are not affected. Scope detection rules to these specific versions where version fingerprinting is available. ↗
- ·The exploit default port is 8000, but SSL may also be used; detection rules should account for both HTTP and HTTPS on non-standard ports. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-3gpf-pr7r-gxcf: img
ghsa_unreviewed·2022-05-01
CVE-2005-2847 [HIGH] GHSA-3gpf-pr7r-gxcf: img
img.pl in Barracuda Spam Firewall running firmware 3.1.16 and 3.1.17 allows remote attackers to execute arbitrary commands via shell metacharacters in the f parameter.
VulnCheck
Barracuda Networks barracuda_spam_firewall Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2005·CVSS 7.5
CVE-2005-2847 [HIGH] Barracuda Networks barracuda_spam_firewall Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Barracuda Networks barracuda_spam_firewall Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
img.pl in Barracuda Spam Firewall running firmware 3.1.16 and 3.1.17 allows remote attackers to execute arbitrary commands via shell metacharacters in the f parameter.
Affected: Barracuda Networks barracuda_spam_firewall
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.researchgate.net/publication/348602660_An_analysis_of_the_use_of_CVEs_by_IoT_malware
No detection rules found.
Exploit-DB
Barracuda - IMG.pl Remote Command Execution (Metasploit)
exploitdb·2010-04-30
CVE-2005-2847 Barracuda - IMG.pl Remote Command Execution (Metasploit)
Barracuda - IMG.pl Remote Command Execution (Metasploit)
---
##
# $Id: barracuda_img_exec.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Barracuda IMG.PL Remote Command Execution',
'Description' => %q{
This module exploits an arbitrary command execution vulnerability in the
Barracuda Spam Firewall appliance. Versions prior to 3.1.18 are vulnerable.
},
'Author' => [ 'Nicolas Gregoire ', 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9179 $',
'References' =>
[
['CVE', '2005-2847'],
['OSVDB',
Exploit-DB
Barracuda Spam Firewall < 3.1.18 - Command Execution (Metasploit)
exploitdb·2005-09-27
CVE-2005-2848 Barracuda Spam Firewall < 3.1.18 - Command Execution (Metasploit)
Barracuda Spam Firewall 'Barracuda IMG.PL Remote Command Execution',
'Version' => '$Revision: 1.0 $',
'Authors' => [ 'Nicolas Gregoire ' ],
'Arch' => [ 'x86' ],
'OS' => [ 'linux' ],
'Priv' => 0,
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 8000],
'VHOST' => [0, 'DATA', 'The virtual host name of the server'],
'IMG' => [1, 'DATA', 'Full path of img.pl script', '/cgi-bin/img.pl'],
'SSL' => [0, 'BOOL', 'Use SSL'],
},
'Description' => Pex::Text::Freeform(qq{
This module exploits an arbitrary command execution vulnerability in the
Barracuda Spam Firewall appliance. Versions prior to 3.1.18 are vulnerable.
}),
'Refs' =>
[
['URL', 'http://www.securiweb.net/wiki/Ressources/AvisDeSecurite/2005.1'],
['CVE', '2005-2847'],
['OSVDB', '19279'],
Metasploit
Barracuda IMG.PL Remote Command Execution
metasploit
Barracuda IMG.PL Remote Command Execution
Barracuda IMG.PL Remote Command Execution
This module exploits an arbitrary command execution vulnerability in the Barracuda Spam Firewall appliance. Versions prior to 3.1.18 are vulnerable.
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=112560044813390&w=2http://secunia.com/advisories/16683/http://www.securityfocus.com/bid/14712http://www.securitytracker.com/alerts/2005/Sep/1014837.htmlhttp://www.securiweb.net/wiki/Ressources/AvisDeSecurite/2005.1http://marc.info/?l=bugtraq&m=112560044813390&w=2http://secunia.com/advisories/16683/http://www.securityfocus.com/bid/14712http://www.securitytracker.com/alerts/2005/Sep/1014837.htmlhttp://www.securiweb.net/wiki/Ressources/AvisDeSecurite/2005.1
2005-09-08
Published
Exploited in the wild