Full Disclosure mailing list archives
Re: screen 4.0.3 local Authentication Bypass - Working on multiple systems
From: Sûnnet Beskerming <info () beskerming com>
Date: Thu, 7 Jun 2007 04:25:00 +0930
Hi Nico, I agree that there isn't much point in going through with the process if you already have an open shell. In order to replicate not only the original vulnerability report but the subsequent behaviour, it was the only method discovered that even came close. Source code analysis shows there isn't much opportunity to break out of the locked environment, and to get the response from screen that one of the earlier reports did you need to interrupt screen BEFORE it locks. Plus, it bugged me that a vulnerability put up on milw0rm wasn't working as advertised. Looking in at why BSD might be vulnerable but not other systems when a SIGINT is sent led me to look at what happened if another signal could replicate the process. While SIGHUP ended screen as well, it was only SIGKILL that then allowed you to reattach the supposedly killed screen with screen -r. I know there are some differences in the way BSD handles some signals when compared to Linux / Unix / OS X, but this behaviour is just plain odd. After all of that, I place this in the 'Interesting, but unlikely to have practical use' category (for the various reasons already covered). On 07/06/2007, at 2:41 AM, Nico Golde wrote:
Hi, * Sûnnet Beskerming <info () beskerming com> [2007-06-06 15:19]: [...]~user(screen) $ echo Once the process is killed, I should not reappear. Once the process is killed, I should not reappear. ~user(screen) $ ^a+x Key: [1234] Again: [1234] Screen used by User <user>. Password: At this stage we now need to kill the right process. On OS X, screen ignores the SIGINT sent by ^c, so we need to send it a SIGKILL. Using your favourite process killer, kill the outer screen pid (5171). If you vary the process, such as:[...] What is the point of locking screen with a password if you have an open shell on the host??? In this case you can just close the window an reattach the screen session. Kind regards Nico -- Nico Golde - JAB: nion () jabber ccc de | GPG: 0x73647CFF Forget about that mouse with 3/4/5 buttons - gimme a keyboard with 103/104/105 keys! _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Carl Sûnnet Beskerming Pty. Ltd. Adelaide, Australia http://www.beskerming.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- screen 4.0.3 local Authentication Bypass - Working on multiple systems Sûnnet Beskerming (Jun 06)
- Re: screen 4.0.3 local Authentication Bypass - Working on multiple systems Nico Golde (Jun 06)
- Re: screen 4.0.3 local Authentication Bypass - Working on multiple systems Sûnnet Beskerming (Jun 06)
- Re: screen 4.0.3 local Authentication Bypass - Working on multiple systems Nico Golde (Jun 06)