Full Disclosure mailing list archives

Re: Re: Gaim festival plugin exploit

From: merlyn () stonehenge com (Randal L. Schwartz)
Date: 23 Oct 2003 08:04:27 -0700

"Brian" == Brian Hatch <full-disclosure () ifokr org> writes:

system("echo \"$string\" | /usr/bin/festival --tts");


Replace this with

open FEST, "|/usr/bin/festival --tts";
print FEST $string, "\n";
close FEST;

No shells involved.  Only DOS exploits and maybe the usual
C-language overflows in festival itself.


Brian> Well, no, that open does invoke a shell, albeit one with
Brian> no user input.

Excuse me.  No it doesn't.  I dare you to watch a trace of that
program and tell me if EVER a /bin/sh is invoked.  It doesn't.  It
forks, and calls festival directly.  Just a child.  No grandchild.  No
chance for a shell interpretation.

When the pipe-open is simple enough (no shell metachars) Perl goes
directly to the $PATH and figures out how to parse that string into
the argv[] and calls execve directly.

Please don't challenge such obvious Perl knowledge for
someone who has spent the past twelve years writing more Perl
documentation and teaching Perl more than anyone else on the
planet.

I'm sorry if I sound irate, but Perl and Security are my two
expert areas.  Sheesh.  Trust me on this one, OK?

Brian>   It's still better to 

Brian>  pipe
Brian>  fork
Brian>  child exec explicitly
Brian>  parent read pipe

That is *precisely* what this is doing, using the shortest
syntax known to man. :)

Brian> Newer perl can actually use list form in the 'file'
Brian> section for open, so you'd be able to use that to
Brian> avoid a shell in the open without writing the code
Brian> yourself.

Not needed.  This already avoids the shell.

JUST LIKE I ALREADY FRICKIN SAID.

-- 
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn () stonehenge com> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: Gaim festival plugin exploit, (continued)
- Re: Gaim festival plugin exploit Randal L. Schwartz (Oct 15)
- Re: Gaim festival plugin exploit Jérôme Augé (Oct 16)
- Re: Gaim festival plugin exploit HCTITS Security Division (Oct 17)
  - Re: Re: Gaim festival plugin exploit Randal L. Schwartz (Oct 17)
    - Re: Re: Gaim festival plugin exploit Valdis . Kletnieks (Oct 18)
- Re: Gaim festival plugin exploit HCTITS Security Division (Oct 17)
  - Re: Re: Gaim festival plugin exploit Cael Abal (Oct 17)
    - Re: [Cert-lists] Re: Re: Gaim festival plugin exploit Georg Moritz (Oct 20)
  - Re: Gaim festival plugin exploit Randal L. Schwartz (Oct 20)
    - Re: Re: Gaim festival plugin exploit Brian Hatch (Oct 23)
    - Re: Re: Gaim festival plugin exploit Randal L. Schwartz (Oct 23)
    - RE: Re: Gaim festival plugin exploit Scott Phelps / Dreamwright Studios (Oct 23)
    - Re: Re: Gaim festival plugin exploit Dale Harris (Oct 23)
    - Re: Re: Gaim festival plugin exploit Shawn McMahon (Oct 23)
    - Re: Re: Gaim festival plugin exploit Randal L. Schwartz (Oct 23)
    - Re: Re: Gaim festival plugin exploit Randal L. Schwartz (Oct 23)
  - Re: Gaim festival plugin exploit Randal L. Schwartz (Oct 20)
  - Re: Gaim festival plugin exploit Randal L. Schwartz (Oct 20)