Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: screen 4.0.3 local Authentication Bypass
From: "Lolek of TK53" <lolek1337 () googlemail com>
Date: Mon, 4 Jun 2007 19:00:38 +0200

On 6/4/07, rembrandt () jpberlin de <rembrandt () jpberlin de> wrote:
Please take a look at the Attachement dear List moderator. :)
It has been tested on OpenBSD 4.1 + screen 4.0.3 on x86.

How to reproduce:

Lock screen using ctrl+x
Choose a Password
Confirm the Password

Screen asks for a Password to unlock the screen.
Just press ctrl+c and it displays "Getpass error".
2 seconds later the screen is unlocked and you`ve access.

This is not reproducable with screen 4.0.3 on a Linux system. Also
with looking at the code of screen I can see no vulnerability in this
context. Can you show some code that proves your claim?
If not I suggest to get a better operating system distributor ;)
Lolek of TK53
P.S. It's ctrl-a x not ctrl-x

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]