Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: screen 4.0.3 local Authentication Bypass - Working on multiple systems
From: Sûnnet Beskerming <info () beskerming com>
Date: Thu, 7 Jun 2007 04:25:00 +0930

Hi Nico,

I agree that there isn't much point in going through with the process  
if you already have an open shell.  In order to replicate not only  
the original vulnerability report but the subsequent behaviour, it  
was the only method discovered that even came close.  Source code  
analysis shows there isn't much opportunity to break out of the  
locked environment, and to get the response from screen that one of  
the earlier reports did you need to interrupt screen BEFORE it  
locks.  Plus, it bugged me that a vulnerability put up on milw0rm  
wasn't working as advertised.

Looking in at why BSD might be vulnerable but not other systems when  
a SIGINT is sent led me to look at what happened if another signal  
could replicate the process.  While SIGHUP ended screen as well, it  
was only SIGKILL that then allowed you to reattach the supposedly  
killed screen with screen -r.  I know there are some differences in  
the way BSD handles some signals when compared to Linux / Unix / OS  
X, but this behaviour is just plain odd.

After all of that, I place this in the 'Interesting, but unlikely to  
have practical use' category (for the various reasons already covered).

On 07/06/2007, at 2:41 AM, Nico Golde wrote:

Hi,
* Sûnnet Beskerming <info () beskerming com> [2007-06-06 15:19]:
[...]
~user(screen) $ echo Once the process is killed, I should not  
reappear.
Once the process is killed, I should not reappear.
~user(screen) $ ^a+x
Key: [1234]
Again: [1234]
Screen used by User <user>.
Password:

At this stage we now need to kill the right process.  On OS X, screen
ignores the SIGINT sent by ^c, so we need to send it a SIGKILL.
Using your favourite process killer, kill the outer screen pid
(5171).  If you vary the process, such as:
[...]
What is the point of locking screen with a password if you
have an open shell on the host??? In this case you can just
close the window an reattach the screen session.
Kind regards
Nico
-- 
Nico Golde - JAB: nion () jabber ccc de | GPG: 0x73647CFF
Forget about that mouse with 3/4/5 buttons -
gimme a keyboard with 103/104/105 keys!
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Carl

Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault