Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Gaim Festival Logoff Vulnerability <= 0.81 (1.03)
From: Kristian Hermansen <khermansen () ht-technology com>
Date: Fri, 03 Dec 2004 02:16:16 -0500

DATE: Friday, December 3, 2004

After some playing around this week, there seems to be vulnerabilities
in the Festival plugin (/usr/lib/gaim/festival.so) for Gaim.  I tested
version 0.81 in Gaim 1.03 with the ked_diphone voice.  I'm not sure if
these are already known and remain unpatched.  Basically, by sending
certain strings you can exploit it in various ways.  ratjed and I ran
into this last night while passing some code back and forth.  For the
most simple example try sending it these two strings concurrently:

##printf("%s", "%s", "hello world");
##printf("%s", "hello world");

It should close down Gaim immediately.  You might be able to get it to
delete files, but I have not put more than five minutes into analyzing
it yet.  I publish this in the event that there are other more dangerous
strings that could be sent.  Any feedback is greatly appreciated and if
anyone has a patch please make it available...

CREDITS: ratjed and netsniper
Kristian Hermansen <khermansen () ht-technology com>

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
  • Gaim Festival Logoff Vulnerability <= 0.81 (1.03) Kristian Hermansen (Dec 03)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]