TUCoPS :: Web :: Adminware, Control Panels :: bbd23.htm

Big Brother Systems and Network Monitor (All prior to 1.5c2) execute arbitrary code
Vulnerability

    bbd (Big Brother)

Affected

    Big Brother Systems and Network Monitor (All prior to 1.5c2)

Description

    Andrew Dalgleish   found following.   Vulnerabilities exists  such
    that  arbitrary   commands  can   be  executed   with  the    same
    userid/permissions as the user running bbd.

Solution

    Download and install the latest version from

        http://bb4.com

    or for versions 1.4g to 1.5c1, in bbd.c (add this statement):

        /*** Read this as backquote dollarsign ***/
        /***   semi-colon ampersand vertical_bar ***/
        /***   backslash backslash ***/
        clean_string(msgbuf,"`$;&|\\");

    before this one

        do_bb(msgbuf);

    For versions prior to 1.4g, add this function in bbd.c:

        void clean_string(str,rm_chars)
        char *str;
        char *rm_chars;
        {
        char *tmpstr;
                while( *rm_chars ) {
                        while( tmpstr=(char*)strchr(str,*rm_chars) ) {
                                *tmpstr = ' ';
        
                        }
                        rm_chars++;
                }
        }

    and add this statement

        /*** Read this as backquote dollarsign ***/
        /***   semi-colon ampersand vertical_bar ***/
        /***   backslash backslash ***/
        clean_string(msgbuf,"`$;&|\\");

    before this statement

        do_bb(msgbuf);

    Recompile   bbd   (make)   and   reinstall(make   install).    The
    clean_string(msgbuf,"`$;&|\\");  statement  that  removes  the '&'
    character will disable some  display functionality in BB  but it's
    very minor.   Upgrade to  the latest  version if  you want  a full
    working version.

    Note: BB should not be run as root!

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH