OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: REMOTE EXPLOIT IN ALL CURRENT VERSIONS OF BIG BROTHER- short fix
From: Jake Schleich (schleichCGOCABLE.NET)
Date: Tue Jul 11 2000 - 15:51:38 CDT

Just a note on the new bug in the hostsvc cgi.

I found that by just downloading the new 1.4h2 and running the bbconfig and
filling in the variables, it overwrote the offending file without me having
to reinstall the entire thing; a pain when it comes to reconfiguring. It
asks which files it will overwrite in the cgi-bin, you just say no to the
custom ones(if you have replaced a few of the default bb cgi's with /ext
released versions as I have) and replace the offending file(s).
So in short, the bbconfig script will fix the problem without a rebuild.

The hole appears to be patched on my server now (I already had the 1.4h
release; I cant say this will work if you are using an older version).

This may be a short way for bb users to fix the problem rather than a full
install; it doesnt appear it is required, and no other changes appear to be
in the release to benefit from a fresh install.

Jake Schleich
Unix Administrator - Internet Systems Department
Cogecohome - CGOcable.net
(905) 333-7085 (schleichcgocable.net)

<cut>

 The problem exists in the code where $HOSTSVC does not do authenticity
 checking for its assigned variable.

 ---- snip ----
 # get the color of the status from the status file
 set `$CAT "$BBLOGS/$HOSTSVC" | $HEAD -1` >/dev/null 2>&1 BKG="$1"
 ---- snap ----

 e.g.
http://www.bb4.com/cgi-bin/bb-hostsvc.sh?HOSTSVC=/../../../../../../../.
./etc/passwd

 BB4 Technologies has already been notified and a patch is already out.
 It can be Downloaded from http://www.bb4.com/download.html

</cut>