lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: georg.moritz at topalis.com (Georg Moritz) Subject: [Cert-lists] Re: Re: Gaim festival plugin exploit Cael Abal wrote: >>DUH... would help if I attached my attachment. >> >>I am right proud of myself for this, and it also needs mention to >>address the security issue that our friend Error (is that a reference to >>Zelda 2?) raised. >> >>Attached, find the latest reissue of the Gaim festival plugin. The guy >>that wrote it, wrote it for pre-0.68 Perl API, but it was secure against >>the sort of attack that Error described. I have since taken it and >>recoded it to work with post-0.68 versions of Gaim. It is attached. By >>all means, if you see an exploitable bug in there, let me know! I'm >>just a perl-tot.. > > > Hi Brian, > > This updated version is still vulnerable. You should be *very* wary of > any call to system() or fork(). Consider this input: > > "This is only a test && rm -rf /" > > Notice that ';' isn't the only way to inject into a commandline. > > Cheers, > > Cael One way of safely passing input without need of untainting data: $pid = open(OUT,"| artsdsp festival -b --tts"); if($pid) { print OUT "$sendername said, $message"; close OUT; waitpid($pid,0); } else { # handle error } This way "$sendername said, $message" goes right into STDIN of artsdsp without being parsed by the shell. But then, artsdsp gets bogus input.. You might want to check 'man perlsec', 'perldoc -f open' greetings, Georg -- $::Georg.Moritz (?!\)Oo. M z ___ fon +49.711.550.2291::$ $::Urbanstr. 97 G?\ \ / / cel +49.179.694.8853::$ $::73728 Trinklingen /\_?/(q / / ^[ - immer weg vom Haufen::$ $::--------------------- \__(m.===?==? -)--])?);sub AUTOLOAD{map{print&& select($,,$,,$,,$|/++$-)}map{pack c,($|++?1:13)+ord}split//,shift||ESEL} alarm if$Herl.Pack("{{chd \c_Itrs\c_`mnsgdq\c_Gdbj\c_O`qk"),er(qq.dq\t.)
Powered by blists - more mailing lists