Advisories : File Discovery Vulnerability in Big Brother

main menu

- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news

discussions

- read forum
- new topic
- search

meetings

- meetings list
- recent additions
- add your info

top 100 sites

- visit top sites
- sign up now
- members

webmasters

- add your url
- add domain
- search box
- link to us

projects

- our projects
- free email

m4d network

- security software
- secureroot
- m4d.com

Home : Advisories : File Discovery Vulnerability in Big Brother

Title:	File Discovery Vulnerability in Big Brother
Released by:	Fate Research Labs
Date:	20th November 2000
Printable version:	Click here

    -----------------.---------------------------------------------.

  /|                 |                             .               |

 / | :               : :             : :             :             |

|  | ::        ------  ::            : ::          | ::     -      |-----

|  | ::              : ::     .      :      |      | ::            :     |

|  |                 :        .      |------|      |               :     |

|  |           ------^        :      |     /       |                     .

|  ;----------"---------------^------     /  ------'---------------------

| /          /               /      /----'        /                     /

|'----------'---------------'------'     --------'---------------------'

                                www.f8labs.com











[ INTRODUCTION ]



Advisory .........: File Discovery Vulnerability

Release Date .....: 11-20-00

Application ......: bb-hist.sh

                    bb-histlog.sh

                    bb-hostsvc.sh

                    bb-rep.sh

                    bb-replog.sh

                    bb-ack.sh

Vendor Web Site ..: www.bb4.com

Versions Affected.: All installed BB CGI scripts prior to v1.5d3

Vendor Status ....: Contacted // Patch Available (Thanks Robert for

                    being so cooperative.)

WWW ..............: www.f8labs.com

SHOUTS ...........: Moo baby, Im a sexy cow, yea!









[ OVERVIEW ]



Big Brother is designed to let anyone - from omniscient Sys

Admins, to Pointy-Headed Bosses, see how the network is doing

in near real-time, from any web browser, anywhere.







[ ADVISORY ]



Vulnerabilities exists such that someone can identify if sensitive

files exists and determine user ids on the BBDISPLAY server(s)

and use those to launch a password brute-force attack.

e.g. http://www.victim.com/cgi-bin/bb-hist.sh?HISTFILE=/home/*



history

Mon Nov 20 22:07:25 EST 2000



Error reading history file [adam]



Utilizing this information, we are able to then validate not

only if sensitive files exist on the system, but also, valid

user accounts for a further brute-force attack on the system.







[ RESOURCES ]



Patch Details

http://bb4.com/incident.nov21



Big Brother Technologies

http://www.bb4.com



Fate Research Labs

http://www.f8labs.com







================================================================

Loki

Fate Research Labs

loki@f8labs.com

----------------------------------------------------------------

BEGIN PGP SIGNATURE



iQA/AwUBOfZvfGnwBJRV5bxfEQJu7gCfQ/T0O9u75nzRGWVSeurNmnFRVr8Anj0c

M+UXhPDBvsm+ffRpv41zevQN

=3IRx

================================================================