Bugtraq mailing list archives
Re: screen 3.9.5 root vulnerability
From: Eugeny Kuzakov <coredumped () COREDUMPED NULL RU>
Date: Tue, 5 Sep 2000 09:16:36 +0700
On Tue, 5 Sep 2000, [latin1] Jouko PynnЖnen wrote: FreeBSD port not affected for this problem after 1 sept 2000 because it contains security patch for this problem. $ cat /usr/ports/misc/screen/patches/patch-sec1 --- screen.c.orig Fri Sep 1 17:58:35 2000 +++ screen.c Fri Sep 1 17:57:35 2000 @@ -2311,7 +2311,7 @@ else if (visual && !D_VB && (!D_status || !D_status_bell)) { D_status_delayed = -1; - Msg(0, VisualBellString); + Msg(0, "%s", VisualBellString); if (D_status) { D_status_bell = 1;
Date: Tue, 5 Sep 2000 01:28:01 +0300 From: "[latin1] Jouko PynnЖnen" <jouko () SOLUTIONS FI> To: BUGTRAQ () SECURITYFOCUS COM Subject: screen 3.9.5 root vulnerability PROBLEM DESCRIPTION A vulnerability exists in the program "screen" version 3.9.5 and earlier. If screen is installed setuid root, a local user may gain root privilege. There are many systems where the program isn't setuid root by default, but on many systems (afaik at least SuSE Linux, Red Hat 5.2 and earlier, *BSD ports packages, Solaris, other commercial unices) it is, making them vulnerable. To quickly check if your version is vulnerable, have these two lines in ~/.screenrc: vbell on vbell_msg '%x' Set TERM to vt100, start screen and press ctrl-G (you may need to issue the command echo ^V^G to get a visual bell). If you see a hexadecimal number on the last line, your version of screen is vulnerable. However it can't be exploited unless the program is installed setuid root. BUG DETAILS The bug is located in screen.c in function serv_select_fn(): ... else if (visual && !D_VB && (!D_status || !D_status_bell)) { D_status_delayed = -1; Msg(0, VisualBellString); if (D_status) { ... Msg() feeds the second argument to sprintf() and since VisualBellString is user defineable, we have a classical format bug. From there, a malicious user can either do the old trick and write over a return address in stack, or for instance, write over the real_uid variable where screen saves the user id. After zeroing this variable with the format string the user can just open a new window with a root shell in it. For this reason the bug is quite platform-independent; no shell code nor executable stack is needed. The vulnerability has been tested on Linux, Intel and ppc architectures. VULNERABLE SYSTEMS NetBSD, FreeBSD, OpenBSD (screen is a part of the ports collection) Red Hat Linux 5.2 and earlier, SuSE Linux, Solaris, many commercial unices NOT VULNERABLE Red Hat Linux 6.0 and later, most other Linux distributions WORKAROUND Removing the setuid bit from the binary makes it impossible to be exploited: chmod 111 /usr/local/bin/screen # or /usr/bin/screen BUT this may require some changes to the mode of screen's socket dir (usually /tmp/screens). Consult screen documentation for more info. SOLUTION Screen authors (and some OS vendors) have been informed and a new version of screen can be retrieved from ftp://ftp.uni-erlangen.de/pub/utilities/screen/screen-3.9.8.tar.gz and diffs relative to version 3.9.5: ftp://ftp.uni-erlangen.de/pub/utilities/screen/screen-3.9.5-3.9.8.diff.gz Vendor patches for vulnerable systems have been released, or will be released shortly. CREDITS Vulnerability discovered by: Jouko PynnЖnen -- Jouko PynnЖnen Online Solutions Ltd Secure your Linux - jouko () solutions fi http://www.secmod.com
---- Best wishes, Eugeny Kuzakov, SA ITBank, Omsk ---- All I want is a warm bed and a kind word and unlimited power -- Ashleigh Brilliant
Current thread:
- screen 3.9.5 root vulnerability Jouko Pynnönen (Sep 04)
- Re: screen 3.9.5 root vulnerability Signal 11 (Sep 04)
- Re: screen 3.9.5 root vulnerability Eugeny Kuzakov (Sep 05)
- Re: screen 3.9.5 root vulnerability Andreas Hasenack (Sep 05)
- Re: screen 3.9.5 root vulnerability abs (Sep 05)
- <Possible follow-ups>
- Re: screen 3.9.5 root vulnerability ??? (Sep 05)