mailing list archives
screen 3.9.5 root vulnerability
From: Jouko Pynnönen <jouko () SOLUTIONS FI>
Date: Tue, 5 Sep 2000 01:28:01 +0300
A vulnerability exists in the program "screen" version 3.9.5 and earlier.
If screen is installed setuid root, a local user may gain root privilege.
There are many systems where the program isn't setuid root by default, but
on many systems (afaik at least SuSE Linux, Red Hat 5.2 and earlier, *BSD ports
packages, Solaris, other commercial unices) it is, making them vulnerable.
To quickly check if your version is vulnerable, have these two lines in
Set TERM to vt100, start screen and press ctrl-G (you may need to issue the
command echo ^V^G to get a visual bell). If you see a hexadecimal number on
the last line, your version of screen is vulnerable. However it can't be
exploited unless the program is installed setuid root.
The bug is located in screen.c in function serv_select_fn():
else if (visual && !D_VB && (!D_status || !D_status_bell))
D_status_delayed = -1;
Msg() feeds the second argument to sprintf() and since VisualBellString is
user defineable, we have a classical format bug. From there, a malicious user
can either do the old trick and write over a return address in stack, or for
instance, write over the real_uid variable where screen saves the user id.
After zeroing this variable with the format string the user can just open
a new window with a root shell in it.
For this reason the bug is quite platform-independent; no shell code nor
executable stack is needed. The vulnerability has been tested on Linux, Intel
and ppc architectures.
NetBSD, FreeBSD, OpenBSD (screen is a part of the ports collection)
Red Hat Linux 5.2 and earlier, SuSE Linux, Solaris, many commercial unices
Red Hat Linux 6.0 and later, most other Linux distributions
Removing the setuid bit from the binary makes it impossible to be
chmod 111 /usr/local/bin/screen # or /usr/bin/screen
BUT this may require some changes to the mode of screen's socket dir
(usually /tmp/screens). Consult screen documentation for more info.
Screen authors (and some OS vendors) have been informed and a new version
of screen can be retrieved from
and diffs relative to version 3.9.5:
Vendor patches for vulnerable systems have been released, or will be
Vulnerability discovered by: Jouko Pynnönen
Jouko Pynnönen Online Solutions Ltd Secure your Linux -
jouko () solutions fi http://www.secmod.com
- screen 3.9.5 root vulnerability Jouko Pynnönen (Sep 05)