On Thu, Oct 23, 2003 at 02:52:36PM -0400, Scott Phelps / Dreamwright Studios elucidated: > > This is great, somebody is arguing Perl syntax with the guy who co-wrote the > llama book.
Probably an honest mistake. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Randal L. > Schwartz > Sent: Thursday, October 23, 2003 11:04 AM > To: Brian Hatch > Cc: HCTITS Security Division; [EMAIL PROTECTED]; > [EMAIL PROTECTED] > Subject: Re: [Full-Disclosure] Re: Gaim festival plugin exploit > > >>>>> "Brian" == Brian Hatch <[EMAIL PROTECTED]> writes: > > >> >> system("echo \"$string\" | /usr/bin/festival --tts"); > >> > >> Replace this with > >> > >> open FEST, "|/usr/bin/festival --tts"; > >> print FEST $string, "\n"; > >> close FEST; > >> > >> No shells involved. Only DOS exploits and maybe the usual > >> C-language overflows in festival itself. > > Brian> Well, no, that open does invoke a shell, albeit one with > Brian> no user input. > > Excuse me. No it doesn't. I dare you to watch a trace of that > program and tell me if EVER a /bin/sh is invoked. It doesn't. It > forks, and calls festival directly. Just a child. No grandchild. No > chance for a shell interpretation. > So let me guess open FEST "|..." uses popen(), right? Therefore a shell is invoked, and it won't show up on strace, because popen() is too high level for that kind of trace. Dale _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
