[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] Gaim Festival Logoff Vulnerability <= 0.81 (1.03)

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: [Full-Disclosure] Gaim Festival Logoff Vulnerability <= 0.81 (1.03)
From: Kristian Hermansen <khermansen@xxxxxxxxxxxxxxxxx>
Date: Fri, 03 Dec 2004 02:16:16 -0500

DATE: Friday, December 3, 2004

After some playing around this week, there seems to be vulnerabilities
in the Festival plugin (/usr/lib/gaim/festival.so) for Gaim.  I tested
version 0.81 in Gaim 1.03 with the ked_diphone voice.  I'm not sure if
these are already known and remain unpatched.  Basically, by sending
certain strings you can exploit it in various ways.  ratjed and I ran
into this last night while passing some code back and forth.  For the
most simple example try sending it these two strings concurrently:

--snip--
##printf("%s", "%s", "hello world");
##printf("%s", "hello world");
--snip--

It should close down Gaim immediately.  You might be able to get it to
delete files, but I have not put more than five minutes into analyzing
it yet.  I publish this in the event that there are other more dangerous
strings that could be sent.  Any feedback is greatly appreciated and if
anyone has a patch please make it available...

CREDITS: ratjed and netsniper
-- 
Kristian Hermansen <khermansen@xxxxxxxxxxxxxxxxx>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: [Full-Disclosure] RE: Official IFRAME patch - make sure it installs correctly
Next by Date: [Full-Disclosure] Tool Announcement: AIRT -- the Advanced Incident Response Tool (linux)
Previous by thread: [Full-Disclosure] RE: Official IFRAME patch - make sure it installs correctly
Next by thread: [Full-Disclosure] Tool Announcement: AIRT -- the Advanced Incident Response Tool (linux)
Index(es):
- Date
- Thread