Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: Gaim festival plugin exploit

From: Dale Harris <rodmur () maybe org>
Date: Thu, 23 Oct 2003 13:02:31 -0700
On Thu, Oct 23, 2003 at 02:52:36PM -0400, Scott Phelps / Dreamwright Studios elucidated:


This is great, somebody is arguing Perl syntax with the guy who co-wrote the
llama book.


Probably an honest mistake.



-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of Randal L.
Schwartz
Sent: Thursday, October 23, 2003 11:04 AM
To: Brian Hatch
Cc: HCTITS Security Division; bugtraq () securityfocus com;
full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] Re: Gaim festival plugin exploit


"Brian" == Brian Hatch <full-disclosure () ifokr org> writes:



system("echo \"$string\" | /usr/bin/festival --tts");


Replace this with

open FEST, "|/usr/bin/festival --tts";
print FEST $string, "\n";
close FEST;

No shells involved.  Only DOS exploits and maybe the usual
C-language overflows in festival itself.


Brian> Well, no, that open does invoke a shell, albeit one with
Brian> no user input.

Excuse me.  No it doesn't.  I dare you to watch a trace of that
program and tell me if EVER a /bin/sh is invoked.  It doesn't.  It
forks, and calls festival directly.  Just a child.  No grandchild.  No
chance for a shell interpretation.



So let me guess  open FEST "|..." uses popen(), right?  Therefore a
shell is invoked, and it won't show up on strace, because popen() is too
high level for that kind of trace.


Dale

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: