COMMAND
Big Brother
SYSTEMS AFFECTED
bb14h2 and older
PROBLEM
'xternal' found following. bbd listens for incoming connections
on port 1984. Using telnet or the bb client, it is possible to
connect and create a filename with an arbitrary extension, as the
extension is not rigorously checked. As this file is droped into
a directory accessible via the web server, any file extension that
is parsed server side can be abused. For example:
./bb 1.2.3.4 "status evil.php3 <?<system(\"cat /etc/passwd\");?>"
will allow viewing of the /etc/passwd upon browsing to
http://1.2.3.4/bb/logs/evil.php3.
SOLUTION
- Modify bbd.c to only allowed specified file extensions(.disk,
.proc ...)
- Implement access restrictions via $BBHOME/etc/security to
minimize exposure to vulnerabilities. Unfortunately, the
default install doesn't enable the security file.