COMMAND

    Big Brother

SYSTEMS AFFECTED

    All installed BB CGI scripts prior to v1.5d3

PROBLEM

    Loki found  following.   Big Brother  is designed  to let anyone -
    from omniscient Sys Admins,  to Pointy-Headed Bosses, see  how the
    network  is  doing  in  near  real-time,  from  any  web  browser,
    anywhere.

    Vulnerabilities exists such that someone can identify if sensitive
    files exists  and determine  user ids  on the  BBDISPLAY server(s)
    and use those to launch a password brute-force attack.  e.g.

        http://www.victim.com/cgi-bin/bb-hist.sh?HISTFILE=/home/*

    Utilizing this information, we are able to then validate not  only
    if  sensitive  files  exist  on  the  system, but also, valid user
    accounts for a further brute-force attack on the system.

SOLUTION

    Patch details:

        http://bb4.com/incident.nov21