Bugtraq mailing list archives

Big Brother Systems and Network Monitor vulnerability

From: Robert-Andre Croteau <robert () BB4 COM>
Date: Tue, 10 Oct 2000 12:15:38 -0400

                 ===========================
                 Big Brother Security Notice
                 ===========================

Date:     October 10th 2000

Issuer:   security () bb4 com

Versions: All prior to 1.5c2
          Later versions have no reported vulnerabilities
          but you should consider upgrading.

Module:   bbd.c  (the bb server: BBDISPLAY/BBPAGER)

Affects:  All BBDISPLAY/BBPAGER hosts (those running bbd)
          Clients are *not* affected.

Summary:  Vulnerabilities exists such that
          arbitrary commands can be executed with the same
          userid/permissions as the user running bbd.

Fix:      Download and install the latest version from http://bb4.com

          or

          versions 1.4g to 1.5c1, in bbd.c:
              add this statement
                  /*** Read this as backquote dollarsign ***/
                  /***   semi-colon ampersand vertical_bar ***/
                  /***   backslash backslash ***/
                  clean_string(msgbuf,"`$;&|\\");
              before this one
                  do_bb(msgbuf);


          versions prior to 1.4g

              add this function in bbd.c

              void clean_string(str,rm_chars)
              char *str;
              char *rm_chars;
              {
              char *tmpstr;
                      while( *rm_chars ) {
                              while( tmpstr=(char
*)strchr(str,*rm_chars) ) {
                                      *tmpstr = ' ';

                              }
                              rm_chars++;
                      }
              }

              and add this statement

                  /*** Read this as backquote dollarsign ***/
                  /***   semi-colon ampersand vertical_bar ***/
                  /***   backslash backslash ***/
                  clean_string(msgbuf,"`$;&|\\");

              before this statement

                  do_bb(msgbuf);

          Recompile bbd (make) and reinstall(make install). YMMV !

          The clean_string(msgbuf,"`$;&|\\"); statement that removes
          the '&' character will disable some display functionality
          in BB but it's very minor. Upgrade to the latest version
          if you want a full working version.

Note:     BB should not be run as root!

          Those that compiled in the enable/disable feature
          *should* upgrade to the latest version or disable
          the enable/disable feature (recompile bbd without
          the -DENABLE_DISABLE flag)

          Particularly vulnerable are the servers that are not
          protected by firewalls (nothing new!) , that do not
          use the etc/security file and use the enable/disable
          feature (optional and user compiled-in) and those that
          keep historical logs (default).

Found by: Andrew Dalgleish , Thanks!
---
Robert-Andre Croteau
BB4 Technologies Inc.
security () bb4 com

Current thread:

Cross site scripting: a long term fix Zag Zig (Oct 08)
- Re: Cross site scripting: a long term fix Gunther Birznieks (Oct 09)
- Re: Cross site scripting: a long term fix Cooper (Oct 09)
- Re: Cross site scripting: a long term fix David LeBlanc (Oct 09)
- Re: Cross site scripting: a long term fix Tollef Fog Heen (Oct 09)
  - Re: Cross site scripting: a long term fix Erik Peterson (Oct 10)
- <Possible follow-ups>
- Re: Cross site scripting: a long term fix Michael Wojcik (Oct 10)
  - Big Brother Systems and Network Monitor vulnerability Robert-Andre Croteau (Oct 10)
- Re: Cross site scripting: a long term fix Dmitry Yu. Bolkhovityanov (Oct 10)
- Re: Cross site scripting: a long term fix David M Chess/Watson/IBM (Oct 10)
- Re: Cross site scripting: a long term fix Doug Winter (Oct 11)