Full Disclosure mailing list archives
Re: Re: Gaim festival plugin exploit
From: merlyn () stonehenge com (Randal L. Schwartz)
Date: 23 Oct 2003 08:04:27 -0700
"Brian" == Brian Hatch <full-disclosure () ifokr org> writes:
system("echo \"$string\" | /usr/bin/festival --tts");Replace this with open FEST, "|/usr/bin/festival --tts"; print FEST $string, "\n"; close FEST; No shells involved. Only DOS exploits and maybe the usual C-language overflows in festival itself.
Brian> Well, no, that open does invoke a shell, albeit one with Brian> no user input. Excuse me. No it doesn't. I dare you to watch a trace of that program and tell me if EVER a /bin/sh is invoked. It doesn't. It forks, and calls festival directly. Just a child. No grandchild. No chance for a shell interpretation. When the pipe-open is simple enough (no shell metachars) Perl goes directly to the $PATH and figures out how to parse that string into the argv[] and calls execve directly. Please don't challenge such obvious Perl knowledge for someone who has spent the past twelve years writing more Perl documentation and teaching Perl more than anyone else on the planet. I'm sorry if I sound irate, but Perl and Security are my two expert areas. Sheesh. Trust me on this one, OK? Brian> It's still better to Brian> pipe Brian> fork Brian> child exec explicitly Brian> parent read pipe That is *precisely* what this is doing, using the shortest syntax known to man. :) Brian> Newer perl can actually use list form in the 'file' Brian> section for open, so you'd be able to use that to Brian> avoid a shell in the open without writing the code Brian> yourself. Not needed. This already avoids the shell. JUST LIKE I ALREADY FRICKIN SAID. -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 <merlyn () stonehenge com> <URL:http://www.stonehenge.com/merlyn/> Perl/Unix/security consulting, Technical writing, Comedy, etc. etc. See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training! _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Gaim festival plugin exploit, (continued)
- Re: Gaim festival plugin exploit Randal L. Schwartz (Oct 15)
- Re: Gaim festival plugin exploit Jérôme Augé (Oct 16)
- Re: Gaim festival plugin exploit HCTITS Security Division (Oct 17)
- Re: Re: Gaim festival plugin exploit Randal L. Schwartz (Oct 17)
- Re: Re: Gaim festival plugin exploit Valdis . Kletnieks (Oct 18)
- Re: Re: Gaim festival plugin exploit Randal L. Schwartz (Oct 17)
- Re: Gaim festival plugin exploit HCTITS Security Division (Oct 17)
- Re: Re: Gaim festival plugin exploit Cael Abal (Oct 17)
- Re: [Cert-lists] Re: Re: Gaim festival plugin exploit Georg Moritz (Oct 20)
- Re: Gaim festival plugin exploit Randal L. Schwartz (Oct 20)
- Re: Re: Gaim festival plugin exploit Brian Hatch (Oct 23)
- Re: Re: Gaim festival plugin exploit Randal L. Schwartz (Oct 23)
- RE: Re: Gaim festival plugin exploit Scott Phelps / Dreamwright Studios (Oct 23)
- Re: Re: Gaim festival plugin exploit Dale Harris (Oct 23)
- Re: Re: Gaim festival plugin exploit Shawn McMahon (Oct 23)
- Re: Re: Gaim festival plugin exploit Randal L. Schwartz (Oct 23)
- Re: Re: Gaim festival plugin exploit Randal L. Schwartz (Oct 23)
- Re: Re: Gaim festival plugin exploit Cael Abal (Oct 17)