Gaim Festival Logoff Vulnerability <= 0.81 (1.03)

[Kristian Hermansen <khermansen () ht-technology com>]

DATE: Friday, December 3, 2004

After some playing around this week, there seems to be vulnerabilities
in the Festival plugin (/usr/lib/gaim/festival.so) for Gaim.  I tested
version 0.81 in Gaim 1.03 with the ked_diphone voice.  I'm not sure if
these are already known and remain unpatched.  Basically, by sending
certain strings you can exploit it in various ways.  ratjed and I ran
into this last night while passing some code back and forth.  For the
most simple example try sending it these two strings concurrently:

--snip--
##printf("%s", "%s", "hello world");
##printf("%s", "hello world");
--snip--

It should close down Gaim immediately.  You might be able to get it to
delete files, but I have not put more than five minutes into analyzing
it yet.  I publish this in the event that there are other more dangerous
strings that could be sent.  Any feedback is greatly appreciated and if
anyone has a patch please make it available...

CREDITS: ratjed and netsniper
-- 
Kristian Hermansen <khermansen () ht-technology com>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html