Date: Tue, 5 Sep 2000 09:16:36 +0700 From: Eugeny Kuzakov <coredumped@COREDUMPED.NULL.RU> Subject: Re: screen 3.9.5 root vulnerability To: BUGTRAQ@SECURITYFOCUS.COM On Tue, 5 Sep 2000, [latin1] Jouko Pynnönen wrote: FreeBSD port not affected for this problem after 1 sept 2000 because it contains security patch for this problem. $ cat /usr/ports/misc/screen/patches/patch-sec1 --- screen.c.orig Fri Sep 1 17:58:35 2000 +++ screen.c Fri Sep 1 17:57:35 2000 @@ -2311,7 +2311,7 @@ else if (visual && !D_VB && (!D_status || !D_status_bell)) { D_status_delayed = -1; - Msg(0, VisualBellString); + Msg(0, "%s", VisualBellString); if (D_status) { D_status_bell = 1; > Date: Tue, 5 Sep 2000 01:28:01 +0300 > From: "[latin1] Jouko Pynnönen" <jouko@SOLUTIONS.FI> > To: BUGTRAQ@SECURITYFOCUS.COM > Subject: screen 3.9.5 root vulnerability > > PROBLEM DESCRIPTION > > A vulnerability exists in the program "screen" version 3.9.5 and earlier. > If screen is installed setuid root, a local user may gain root privilege. > There are many systems where the program isn't setuid root by default, but > on many systems (afaik at least SuSE Linux, Red Hat 5.2 and earlier, *BSD ports > packages, Solaris, other commercial unices) it is, making them vulnerable. > > To quickly check if your version is vulnerable, have these two lines in > ~/.screenrc: > > vbell on > vbell_msg '%x' > > Set TERM to vt100, start screen and press ctrl-G (you may need to issue the > command echo ^V^G to get a visual bell). If you see a hexadecimal number on > the last line, your version of screen is vulnerable. However it can't be > exploited unless the program is installed setuid root. > > > > BUG DETAILS > > The bug is located in screen.c in function serv_select_fn(): > > ... > else if (visual && !D_VB && (!D_status || !D_status_bell)) > { > D_status_delayed = -1; > Msg(0, VisualBellString); > if (D_status) > { > ... > > Msg() feeds the second argument to sprintf() and since VisualBellString is > user defineable, we have a classical format bug. From there, a malicious user > can either do the old trick and write over a return address in stack, or for > instance, write over the real_uid variable where screen saves the user id. > After zeroing this variable with the format string the user can just open > a new window with a root shell in it. > > For this reason the bug is quite platform-independent; no shell code nor > executable stack is needed. The vulnerability has been tested on Linux, Intel > and ppc architectures. > > > > VULNERABLE SYSTEMS > > NetBSD, FreeBSD, OpenBSD (screen is a part of the ports collection) > Red Hat Linux 5.2 and earlier, SuSE Linux, Solaris, many commercial unices > > > > NOT VULNERABLE > > Red Hat Linux 6.0 and later, most other Linux distributions > > > > WORKAROUND > > Removing the setuid bit from the binary makes it impossible to be > exploited: > > chmod 111 /usr/local/bin/screen # or /usr/bin/screen > > BUT this may require some changes to the mode of screen's socket dir > (usually /tmp/screens). Consult screen documentation for more info. > > > > SOLUTION > > Screen authors (and some OS vendors) have been informed and a new version > of screen can be retrieved from > > ftp://ftp.uni-erlangen.de/pub/utilities/screen/screen-3.9.8.tar.gz > > and diffs relative to version 3.9.5: > > ftp://ftp.uni-erlangen.de/pub/utilities/screen/screen-3.9.5-3.9.8.diff.gz > > > Vendor patches for vulnerable systems have been released, or will be > released shortly. > > > > CREDITS > > Vulnerability discovered by: Jouko Pynnönen > > > > -- > Jouko Pynnönen Online Solutions Ltd Secure your Linux - > jouko@solutions.fi http://www.secmod.com > ---- Best wishes, Eugeny Kuzakov, SA ITBank, Omsk ---- All I want is a warm bed and a kind word and unlimited power -- Ashleigh Brilliant