[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20031023200231.GH11824@maybe.org>
From: rodmur at maybe.org (Dale Harris)
Subject: Re: Gaim festival plugin exploit
On Thu, Oct 23, 2003 at 02:52:36PM -0400, Scott Phelps / Dreamwright Studios elucidated:
>
> This is great, somebody is arguing Perl syntax with the guy who co-wrote the
> llama book.
Probably an honest mistake.
>
> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com
> [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Randal L.
> Schwartz
> Sent: Thursday, October 23, 2003 11:04 AM
> To: Brian Hatch
> Cc: HCTITS Security Division; bugtraq@...urityfocus.com;
> full-disclosure@...ts.netsys.com
> Subject: Re: [Full-Disclosure] Re: Gaim festival plugin exploit
>
> >>>>> "Brian" == Brian Hatch <full-disclosure@...kr.org> writes:
>
> >> >> system("echo \"$string\" | /usr/bin/festival --tts");
> >>
> >> Replace this with
> >>
> >> open FEST, "|/usr/bin/festival --tts";
> >> print FEST $string, "\n";
> >> close FEST;
> >>
> >> No shells involved. Only DOS exploits and maybe the usual
> >> C-language overflows in festival itself.
>
> Brian> Well, no, that open does invoke a shell, albeit one with
> Brian> no user input.
>
> Excuse me. No it doesn't. I dare you to watch a trace of that
> program and tell me if EVER a /bin/sh is invoked. It doesn't. It
> forks, and calls festival directly. Just a child. No grandchild. No
> chance for a shell interpretation.
>
So let me guess open FEST "|..." uses popen(), right? Therefore a
shell is invoked, and it won't show up on strace, because popen() is too
high level for that kind of trace.
Dale
Powered by blists - more mailing lists