OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Tyler Spivey (tspivey8home.com)
Date: Tue Sep 11 2001 - 16:13:24 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    this is my first post in this kin of thing so bare with me.
    there is a vulnerability in speechd that alllows you to run arbetrary code as the root user or whoever is running speechd
    (hopefully not root!).
    it will only work if you are using rsynth, that is all i have tested, it may work on festival too.
    search for system in speechd, (/usr/local/bin
    by default),
    it is:
    system("$cmd \'$text\'");
    right above that, add?
    $text =~ s/'//g;
    (i'm not that familiar with perl , so if anybody has a better idea let me know -
    i'm not familiar with shells that well either - learning).
    you'll be giving up the 's, but it's better than:
    echo "';touch /tmp/evilfile;chmod a+rwxs /tmp/evilfile" >/dev/speech
    even though it logs, by then it'll be too late.
    just my $.02,
    Tyler Spivey
    Student