![[LWN Logo]](/images/lcorner.png) |
|
![[Timeline]](/images/Included.png) |
Date: Tue, 5 Sep 2000 09:16:36 +0700
From: Eugeny Kuzakov <coredumped@COREDUMPED.NULL.RU>
Subject: Re: screen 3.9.5 root vulnerability
To: BUGTRAQ@SECURITYFOCUS.COM
On Tue, 5 Sep 2000, [latin1] Jouko Pynnönen wrote:
FreeBSD port not affected for this problem after 1 sept 2000 because
it contains security patch for this problem.
$ cat /usr/ports/misc/screen/patches/patch-sec1
--- screen.c.orig Fri Sep 1 17:58:35 2000
+++ screen.c Fri Sep 1 17:57:35 2000
@@ -2311,7 +2311,7 @@
else if (visual && !D_VB && (!D_status || !D_status_bell))
{
D_status_delayed = -1;
- Msg(0, VisualBellString);
+ Msg(0, "%s", VisualBellString);
if (D_status)
{
D_status_bell = 1;
> Date: Tue, 5 Sep 2000 01:28:01 +0300
> From: "[latin1] Jouko Pynnönen" <jouko@SOLUTIONS.FI>
> To: BUGTRAQ@SECURITYFOCUS.COM
> Subject: screen 3.9.5 root vulnerability
>
> PROBLEM DESCRIPTION
>
> A vulnerability exists in the program "screen" version 3.9.5 and earlier.
> If screen is installed setuid root, a local user may gain root privilege.
> There are many systems where the program isn't setuid root by default, but
> on many systems (afaik at least SuSE Linux, Red Hat 5.2 and earlier, *BSD ports
> packages, Solaris, other commercial unices) it is, making them vulnerable.
>
> To quickly check if your version is vulnerable, have these two lines in
> ~/.screenrc:
>
> vbell on
> vbell_msg '%x'
>
> Set TERM to vt100, start screen and press ctrl-G (you may need to issue the
> command echo ^V^G to get a visual bell). If you see a hexadecimal number on
> the last line, your version of screen is vulnerable. However it can't be
> exploited unless the program is installed setuid root.
>
>
>
> BUG DETAILS
>
> The bug is located in screen.c in function serv_select_fn():
>
> ...
> else if (visual && !D_VB && (!D_status || !D_status_bell))
> {
> D_status_delayed = -1;
> Msg(0, VisualBellString);
> if (D_status)
> {
> ...
>
> Msg() feeds the second argument to sprintf() and since VisualBellString is
> user defineable, we have a classical format bug. From there, a malicious user
> can either do the old trick and write over a return address in stack, or for
> instance, write over the real_uid variable where screen saves the user id.
> After zeroing this variable with the format string the user can just open
> a new window with a root shell in it.
>
> For this reason the bug is quite platform-independent; no shell code nor
> executable stack is needed. The vulnerability has been tested on Linux, Intel
> and ppc architectures.
>
>
>
> VULNERABLE SYSTEMS
>
> NetBSD, FreeBSD, OpenBSD (screen is a part of the ports collection)
> Red Hat Linux 5.2 and earlier, SuSE Linux, Solaris, many commercial unices
>
>
>
> NOT VULNERABLE
>
> Red Hat Linux 6.0 and later, most other Linux distributions
>
>
>
> WORKAROUND
>
> Removing the setuid bit from the binary makes it impossible to be
> exploited:
>
> chmod 111 /usr/local/bin/screen # or /usr/bin/screen
>
> BUT this may require some changes to the mode of screen's socket dir
> (usually /tmp/screens). Consult screen documentation for more info.
>
>
>
> SOLUTION
>
> Screen authors (and some OS vendors) have been informed and a new version
> of screen can be retrieved from
>
> ftp://ftp.uni-erlangen.de/pub/utilities/screen/screen-3.9.8.tar.gz
>
> and diffs relative to version 3.9.5:
>
> ftp://ftp.uni-erlangen.de/pub/utilities/screen/screen-3.9.5-3.9.8.diff.gz
>
>
> Vendor patches for vulnerable systems have been released, or will be
> released shortly.
>
>
>
> CREDITS
>
> Vulnerability discovered by: Jouko Pynnönen
>
>
>
> --
> Jouko Pynnönen Online Solutions Ltd Secure your Linux -
> jouko@solutions.fi http://www.secmod.com
>
----
Best wishes,
Eugeny Kuzakov, SA
ITBank, Omsk
----
All I want is a warm bed and a kind word and unlimited power
-- Ashleigh Brilliant