Full Disclosure mailing list archives
Re: [Cert-lists] Re: Re: Gaim festival plugin exploit
From: Georg Moritz <georg.moritz () topalis com>
Date: Tue, 21 Oct 2003 00:46:46 +0200 (CEST)
Cael Abal wrote:
DUH... would help if I attached my attachment. I am right proud of myself for this, and it also needs mention to address the security issue that our friend Error (is that a reference to Zelda 2?) raised. Attached, find the latest reissue of the Gaim festival plugin. The guy that wrote it, wrote it for pre-0.68 Perl API, but it was secure against the sort of attack that Error described. I have since taken it and recoded it to work with post-0.68 versions of Gaim. It is attached. By all means, if you see an exploitable bug in there, let me know! I'm just a perl-tot..Hi Brian, This updated version is still vulnerable. You should be *very* wary of any call to system() or fork(). Consider this input: "This is only a test && rm -rf /" Notice that ';' isn't the only way to inject into a commandline. Cheers, Cael
One way of safely passing input without need of untainting data: $pid = open(OUT,"| artsdsp festival -b --tts"); if($pid) { print OUT "$sendername said, $message"; close OUT; waitpid($pid,0); } else { # handle error } This way "$sendername said, $message" goes right into STDIN of artsdsp without being parsed by the shell. But then, artsdsp gets bogus input.. You might want to check 'man perlsec', 'perldoc -f open' greetings, Georg -- $::Georg.Moritz (?!\)Oo. M z ___ fon +49.711.550.2291::$ $::Urbanstr. 97 G°\ \ / / cel +49.179.694.8853::$ $::73728 Trinklingen /\_¯/(q / / ^[ - immer weg vom Haufen::$ $::--------------------- \__(m.===·==· -)--])?);sub AUTOLOAD{map{print&& select($,,$,,$,,$|/++$-)}map{pack c,($|++?1:13)+ord}split//,shift||ESEL} alarm if$Herl.Pack("{{chd \c_Itrs\c_`mnsgdq\c_Gdbj\c_O`qk"),er(qq.dq\t.) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Gaim festival plugin exploit error (Oct 15)
- Re: Gaim festival plugin exploit Randal L. Schwartz (Oct 15)
- Re: Gaim festival plugin exploit Jérôme Augé (Oct 16)
- Re: Gaim festival plugin exploit HCTITS Security Division (Oct 17)
- Re: Re: Gaim festival plugin exploit Randal L. Schwartz (Oct 17)
- Re: Re: Gaim festival plugin exploit Valdis . Kletnieks (Oct 18)
- Re: Re: Gaim festival plugin exploit Randal L. Schwartz (Oct 17)
- Re: Gaim festival plugin exploit HCTITS Security Division (Oct 17)
- Re: Re: Gaim festival plugin exploit Cael Abal (Oct 17)
- Re: [Cert-lists] Re: Re: Gaim festival plugin exploit Georg Moritz (Oct 20)
- Re: Gaim festival plugin exploit Randal L. Schwartz (Oct 20)
- Re: Re: Gaim festival plugin exploit Brian Hatch (Oct 23)
- Re: Re: Gaim festival plugin exploit Randal L. Schwartz (Oct 23)
- RE: Re: Gaim festival plugin exploit Scott Phelps / Dreamwright Studios (Oct 23)
- Re: Re: Gaim festival plugin exploit Dale Harris (Oct 23)
- Re: Re: Gaim festival plugin exploit Shawn McMahon (Oct 23)
- Re: Re: Gaim festival plugin exploit Randal L. Schwartz (Oct 23)
- Re: Re: Gaim festival plugin exploit Randal L. Schwartz (Oct 23)
- Re: Re: Gaim festival plugin exploit Cael Abal (Oct 17)