OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Big Brother Systems and Network Monitor vulnerability
From: Robert-Andre Croteau (robertBB4.COM)
Date: Tue Oct 10 2000 - 11:15:38 CDT


                 ===========================
                 Big Brother Security Notice
                 ===========================

Date: October 10th 2000

Issuer: securitybb4.com

Versions: All prior to 1.5c2
          Later versions have no reported vulnerabilities
          but you should consider upgrading.

Module: bbd.c (the bb server: BBDISPLAY/BBPAGER)

Affects: All BBDISPLAY/BBPAGER hosts (those running bbd)
          Clients are *not* affected.

Summary: Vulnerabilities exists such that
          arbitrary commands can be executed with the same
          userid/permissions as the user running bbd.

Fix: Download and install the latest version from http://bb4.com

          or

          versions 1.4g to 1.5c1, in bbd.c:
              add this statement
                  /*** Read this as backquote dollarsign ***/
                  /*** semi-colon ampersand vertical_bar ***/
                  /*** backslash backslash ***/
                  clean_string(msgbuf,"`$;&|\\");
              before this one
                  do_bb(msgbuf);

          versions prior to 1.4g

              add this function in bbd.c

              void clean_string(str,rm_chars)
              char *str;
              char *rm_chars;
              {
              char *tmpstr;
                      while( *rm_chars ) {
                              while( tmpstr=(char
*)strchr(str,*rm_chars) ) {
                                      *tmpstr = ' ';

                              }
                              rm_chars++;
                      }
              }

              and add this statement

                  /*** Read this as backquote dollarsign ***/
                  /*** semi-colon ampersand vertical_bar ***/
                  /*** backslash backslash ***/
                  clean_string(msgbuf,"`$;&|\\");

              before this statement

                  do_bb(msgbuf);

          Recompile bbd (make) and reinstall(make install). YMMV !

          The clean_string(msgbuf,"`$;&|\\"); statement that removes
          the '&' character will disable some display functionality
          in BB but it's very minor. Upgrade to the latest version
          if you want a full working version.

Note: BB should not be run as root!

          Those that compiled in the enable/disable feature
          *should* upgrade to the latest version or disable
          the enable/disable feature (recompile bbd without
          the -DENABLE_DISABLE flag)

          Particularly vulnerable are the servers that are not
          protected by firewalls (nothing new!) , that do not
          use the etc/security file and use the enable/disable
          feature (optional and user compiled-in) and those that
          keep historical logs (default).

Found by: Andrew Dalgleish , Thanks!

---
Robert-Andre Croteau
BB4 Technologies Inc.
securitybb4.com