[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] Re: Gaim festival plugin exploit

To: "'Randal L. Schwartz'" <merlyn@stonehenge.com>, "'Brian Hatch'" <full-disclosure@ifokr.org>
Subject: RE: [Full-Disclosure] Re: Gaim festival plugin exploit
From: "Scott Phelps / Dreamwright Studios" <scottp@dreamwright.com>
Date: Thu, 23 Oct 2003 14:52:36 -0400

This is great, somebody is arguing Perl syntax with the guy who co-wrote the
llama book.

I don't come here for the security, but for the entertainment :)

-----Original Message-----
From: full-disclosure-admin@lists.netsys.com
[mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of Randal L.
Schwartz
Sent: Thursday, October 23, 2003 11:04 AM
To: Brian Hatch
Cc: HCTITS Security Division; bugtraq@securityfocus.com;
full-disclosure@lists.netsys.com
Subject: Re: [Full-Disclosure] Re: Gaim festival plugin exploit

>>>>> "Brian" == Brian Hatch <full-disclosure@ifokr.org> writes:

>> >> system("echo \"$string\" | /usr/bin/festival --tts");
>> 
>> Replace this with
>> 
>> open FEST, "|/usr/bin/festival --tts";
>> print FEST $string, "\n";
>> close FEST;
>> 
>> No shells involved.  Only DOS exploits and maybe the usual
>> C-language overflows in festival itself.

Brian> Well, no, that open does invoke a shell, albeit one with
Brian> no user input.

Excuse me.  No it doesn't.  I dare you to watch a trace of that
program and tell me if EVER a /bin/sh is invoked.  It doesn't.  It
forks, and calls festival directly.  Just a child.  No grandchild.  No
chance for a shell interpretation.

When the pipe-open is simple enough (no shell metachars) Perl goes
directly to the $PATH and figures out how to parse that string into
the argv[] and calls execve directly.

Please don't challenge such obvious Perl knowledge for
someone who has spent the past twelve years writing more Perl
documentation and teaching Perl more than anyone else on the
planet.

I'm sorry if I sound irate, but Perl and Security are my two
expert areas.  Sheesh.  Trust me on this one, OK?

Brian>   It's still better to 

Brian>  pipe
Brian>  fork
Brian>  child exec explicitly
Brian>  parent read pipe

That is *precisely* what this is doing, using the shortest
syntax known to man. :)

Brian> Newer perl can actually use list form in the 'file'
Brian> section for open, so you'd be able to use that to
Brian> avoid a shell in the open without writing the code
Brian> yourself.

Not needed.  This already avoids the shell.

JUST LIKE I ALREADY FRICKIN SAID.

-- 
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn@stonehenge.com> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl
training!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Follow-Ups:
- Re: [Full-Disclosure] Re: Gaim festival plugin exploit
  - From: Dale Harris <rodmur@maybe.org>

References:
- Re: [Full-Disclosure] Re: Gaim festival plugin exploit
  - From: merlyn@stonehenge.com (Randal L. Schwartz)

Prev by Date: Re: [Full-Disclosure] RE: Linux (in)security
Next by Date: RE: [inbox] Re: [Full-Disclosure] RE: Linux (in)security
Previous by thread: Re: [Full-Disclosure] Re: Gaim festival plugin exploit
Next by thread: Re: [Full-Disclosure] Re: Gaim festival plugin exploit
Index(es):
- Date
- Thread