Full Disclosure mailing list archives
Gaim Festival Logoff Vulnerability <= 0.81 (1.03)
From: Kristian Hermansen <khermansen () ht-technology com>
Date: Fri, 03 Dec 2004 02:16:16 -0500
DATE: Friday, December 3, 2004 After some playing around this week, there seems to be vulnerabilities in the Festival plugin (/usr/lib/gaim/festival.so) for Gaim. I tested version 0.81 in Gaim 1.03 with the ked_diphone voice. I'm not sure if these are already known and remain unpatched. Basically, by sending certain strings you can exploit it in various ways. ratjed and I ran into this last night while passing some code back and forth. For the most simple example try sending it these two strings concurrently: --snip-- ##printf("%s", "%s", "hello world"); ##printf("%s", "hello world"); --snip-- It should close down Gaim immediately. You might be able to get it to delete files, but I have not put more than five minutes into analyzing it yet. I publish this in the event that there are other more dangerous strings that could be sent. Any feedback is greatly appreciated and if anyone has a patch please make it available... CREDITS: ratjed and netsniper -- Kristian Hermansen <khermansen () ht-technology com> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Gaim Festival Logoff Vulnerability <= 0.81 (1.03) Kristian Hermansen (Dec 03)