|
Big Brother Arbitrary Shell Command Execution Vulnerability
Solution: Upgrade all versions prior to 1.5c2 While later versions are not reported vulnerable, users should consider upgrading to the latest version (1.5d2 or higher). The following is excerpted from the original Download and install the latest version from http://bb4.com or versions 1.4g to 1.5c1, in bbd.c: add this statement /*** Read this as backquote dollarsign ***/ /*** semi-colon ampersand vertical_bar ***/ /*** backslash backslash ***/ clean_string(msgbuf,"`$;&|\\"); before this one do_bb(msgbuf); versions prior to 1.4g add this function in bbd.c void clean_string(str,rm_chars) char *str; char *rm_chars; { char *tmpstr; while( *rm_chars ) { while( tmpstr=(char *)strchr(str,*rm_chars) ) { *tmpstr = ' '; } rm_chars++; } } and add this statement /*** Read this as backquote dollarsign ***/ /*** semi-colon ampersand vertical_bar ***/ /*** backslash backslash ***/ clean_string(msgbuf,"`$;&|\\"); before this statement do_bb(msgbuf); Recompile bbd (make) and reinstall(make install). YMMV ! The clean_string(msgbuf,"`$;&|\\"); statement that removes the '&' character will disable some display functionality in BB but it's very minor. Upgrade to the latest version if you want a full working version. Note: BB should not be run as root! |
|
|
Privacy Statement |
