[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Re: Gaim festival plugin exploit

To: "Randal L. Schwartz" <merlyn@stonehenge.com>
Subject: Re: [Full-Disclosure] Re: Gaim festival plugin exploit
From: Brian Hatch <full-disclosure@ifokr.org>
Date: Thu, 23 Oct 2003 07:56:16 -0700


> >> system("echo \"$string\" | /usr/bin/festival --tts");
> 
> Replace this with
> 
>         open FEST, "|/usr/bin/festival --tts";
>         print FEST $string, "\n";
>         close FEST;
> 
> No shells involved.  Only DOS exploits and maybe the usual
> C-language overflows in festival itself.

Well, no, that open does invoke a shell, albeit one with
no user input.  It's still better to 

        pipe
        fork
        child exec explicitly
        parent read pipe

Newer perl can actually use list form in the 'file'
section for open, so you'd be able to use that to
avoid a shell in the open without writing the code
yourself.


--
Brian Hatch                  Why do croutons come
   Systems and                in airtight packages?
   Security Engineer          Aren't they just stale
http://www.ifokr.org/bri/     bread to begin with?

Every message PGP signed

Attachment: pgp00110.pgp
Description: PGP signature

Follow-Ups:
- Re: [Full-Disclosure] Re: Gaim festival plugin exploit
  - From: merlyn@stonehenge.com (Randal L. Schwartz)

References:
- [Full-Disclosure] Gaim festival plugin exploit
  - From: error <error@lostinthenoise.net>
- [Full-Disclosure] Re: Gaim festival plugin exploit
  - From: HCTITS Security Division <security@humancentrictech.com>
- [Full-Disclosure] Re: Gaim festival plugin exploit
  - From: merlyn@stonehenge.com (Randal L. Schwartz)

Prev by Date: RE: [inbox] Re: [Full-Disclosure] RE: Linux (in)security
Next by Date: Re: [Full-Disclosure] RE: Linux (in)security
Previous by thread: [Full-Disclosure] Re: Gaim festival plugin exploit
Next by thread: Re: [Full-Disclosure] Re: Gaim festival plugin exploit
Index(es):
- Date
- Thread