TUCoPS :: Unix :: General :: bb3~1.txt

Big Brother arbitrary file creation problem

COMMAND

    Big Brother

SYSTEMS AFFECTED

    bb14h2 and older

PROBLEM

    'xternal' found following.   bbd listens for incoming  connections
    on port 1984.   Using telnet or the  bb client, it is  possible to
    connect and create a filename with an arbitrary extension, as  the
    extension is not rigorously checked.  As this file is droped  into
    a directory accessible via the web server, any file extension that
    is parsed server side can be abused.  For example:

        ./bb 1.2.3.4 "status evil.php3 <?<system(\"cat /etc/passwd\");?>"

    will allow viewing of the /etc/passwd upon browsing to

        http://1.2.3.4/bb/logs/evil.php3.

SOLUTION

    - Modify  bbd.c to  only allowed  specified file extensions(.disk,
      .proc ...)
    - Implement  access  restrictions  via  $BBHOME/etc/security    to
      minimize  exposure  to   vulnerabilities.   Unfortunately,   the
      default install doesn't enable the security file.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH