lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20031023200231.GH11824@maybe.org>
From: rodmur at maybe.org (Dale Harris)
Subject: Re: Gaim festival plugin exploit

On Thu, Oct 23, 2003 at 02:52:36PM -0400, Scott Phelps / Dreamwright Studios elucidated:
> 
> This is great, somebody is arguing Perl syntax with the guy who co-wrote the
> llama book.

Probably an honest mistake.

> 
> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com
> [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Randal L.
> Schwartz
> Sent: Thursday, October 23, 2003 11:04 AM
> To: Brian Hatch
> Cc: HCTITS Security Division; bugtraq@...urityfocus.com;
> full-disclosure@...ts.netsys.com
> Subject: Re: [Full-Disclosure] Re: Gaim festival plugin exploit
> 
> >>>>> "Brian" == Brian Hatch <full-disclosure@...kr.org> writes:
> 
> >> >> system("echo \"$string\" | /usr/bin/festival --tts");
> >> 
> >> Replace this with
> >> 
> >> open FEST, "|/usr/bin/festival --tts";
> >> print FEST $string, "\n";
> >> close FEST;
> >> 
> >> No shells involved.  Only DOS exploits and maybe the usual
> >> C-language overflows in festival itself.
> 
> Brian> Well, no, that open does invoke a shell, albeit one with
> Brian> no user input.
> 
> Excuse me.  No it doesn't.  I dare you to watch a trace of that
> program and tell me if EVER a /bin/sh is invoked.  It doesn't.  It
> forks, and calls festival directly.  Just a child.  No grandchild.  No
> chance for a shell interpretation.
> 

So let me guess  open FEST "|..." uses popen(), right?  Therefore a
shell is invoked, and it won't show up on strace, because popen() is too
high level for that kind of trace.


Dale


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ