[15761] in bugtraq
Re: REMOTE EXPLOIT IN ALL CURRENT VERSIONS OF BIG BROTHER
daemon@ATHENA.MIT.EDU (Andrew L . Davis)
Wed Jul 12 16:42:33 2000
Mail-Followup-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20000711175328.A7666@threkstun.net>
Date: Tue, 11 Jul 2000 17:53:28 -0400
Reply-To: "Andrew L . Davis" <adavis@THREKSTUN.NET>
From: "Andrew L . Davis" <adavis@THREKSTUN.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <00071110152805.00679@sj-soc-wks1.priv.nuasis.com>; from
eric.hines@nuasis.com on Tue, Jul 11, 2000 at 10:10:28AM -0700
On Tue, Jul 11, 2000 at 10:10:28AM -0700, Eric Hines wrote:
> The problem exists in the code where $HOSTSVC does not do authenticity
> checking for its assigned variable.
>
> e.g. http://www.bb4.com/cgi-bin/bb-hostsvc.sh?HOSTSVC=/../../../../../../../../etc/passwd
>
> BB4 Technologies has already been notified and a patch is already out.
> It can be Downloaded from http://www.bb4.com/download.html
Quick fix.
Edit the file bbdef.sh located in $BBHOME/etc and change
the variable BBLOGSTATUS from DYNAMIC to STATIC. Then remove the bb-hostsvc.sh
file from the cgi-bin directory.
On another note I could not get the /etc/shadow file to display but chould get
the /etc/passwd to display. The major difference is that passwd was world
readable. Also I am running suexe and the cgi files are being run as user
and group "bb" on my box.
--
"...everybody happy but Zathras...but Zathras never happy...Zathras
happy once, had friend once, but wheels fell off, very sad...."
-- Zathras, Babylon 5
Andrew L. Davis adavis@threkstun.net
