The here.
6fb960b4f5c3485bdbcec10301697c2f0a2a956ffe68740fa84a0411ce0bf4ee
-----------------.---------------------------------------------.
/| | . |
/ | : : : : : : |
| | :: ------ :: : :: | :: - |-----
| | :: : :: . : | | :: : |
| | : . |------| | : |
| | ------^ : | / | .
| ;----------"---------------^------ / ------'---------------------
| / / / /----' / /
|'----------'---------------'------' --------'---------------------'
www.f8labs.com
[ INTRODUCTION ]
Advisory .........: File Discovery Vulnerability
Release Date .....: 11-20-00
Application ......: bb-hist.sh
bb-histlog.sh
bb-hostsvc.sh
bb-rep.sh
bb-replog.sh
bb-ack.sh
Vendor Web Site ..: www.bb4.com
Versions Affected.: All installed BB CGI scripts prior to v1.5d3
Vendor Status ....: Contacted // Patch Available (Thanks Robert for
being so cooperative.)
WWW ..............: www.f8labs.com
SHOUTS ...........: Moo baby, Im a sexy cow, yea!
[ OVERVIEW ]
Big Brother is designed to let anyone - from omniscient Sys
Admins, to Pointy-Headed Bosses, see how the network is doing
in near real-time, from any web browser, anywhere.
[ ADVISORY ]
Vulnerabilities exists such that someone can identify if sensitive
files exists and determine user ids on the BBDISPLAY server(s)
and use those to launch a password brute-force attack.
e.g. http://www.victim.com/cgi-bin/bb-hist.sh?HISTFILE=/home/*
history
Mon Nov 20 22:07:25 EST 2000
Error reading history file [adam]
Utilizing this information, we are able to then validate not
only if sensitive files exist on the system, but also, valid
user accounts for a further brute-force attack on the system.
[ RESOURCES ]
Patch Details
http://bb4.com/incident.nov21
Big Brother Technologies
http://www.bb4.com
Fate Research Labs
http://www.f8labs.com
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed