Re: [Full-Disclosure] Re: Gaim festival plugin exploit

[Dale Harris <rodmur@maybe.org>]

On Thu, Oct 23, 2003 at 02:52:36PM -0400, Scott Phelps / Dreamwright Studios 
elucidated:
> 
> This is great, somebody is arguing Perl syntax with the guy who co-wrote the
> llama book.

Probably an honest mistake.

> 
> -----Original Message-----
> From: full-disclosure-admin@lists.netsys.com
> [mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of Randal L.
> Schwartz
> Sent: Thursday, October 23, 2003 11:04 AM
> To: Brian Hatch
> Cc: HCTITS Security Division; bugtraq@securityfocus.com;
> full-disclosure@lists.netsys.com
> Subject: Re: [Full-Disclosure] Re: Gaim festival plugin exploit
> 
> >>>>> "Brian" == Brian Hatch <full-disclosure@ifokr.org> writes:
> 
> >> >> system("echo \"$string\" | /usr/bin/festival --tts");
> >> 
> >> Replace this with
> >> 
> >> open FEST, "|/usr/bin/festival --tts";
> >> print FEST $string, "\n";
> >> close FEST;
> >> 
> >> No shells involved.  Only DOS exploits and maybe the usual
> >> C-language overflows in festival itself.
> 
> Brian> Well, no, that open does invoke a shell, albeit one with
> Brian> no user input.
> 
> Excuse me.  No it doesn't.  I dare you to watch a trace of that
> program and tell me if EVER a /bin/sh is invoked.  It doesn't.  It
> forks, and calls festival directly.  Just a child.  No grandchild.  No
> chance for a shell interpretation.
> 

So let me guess  open FEST "|..." uses popen(), right?  Therefore a
shell is invoked, and it won't show up on strace, because popen() is too
high level for that kind of trace.


Dale

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html