mailing list archives
Re: screen 4.0.3 local Authentication Bypass
From: "Lolek of TK53" <lolek1337 () googlemail com>
Date: Mon, 4 Jun 2007 19:00:38 +0200
On 6/4/07, rembrandt () jpberlin de <rembrandt () jpberlin de> wrote:
Please take a look at the Attachement dear List moderator. :)
It has been tested on OpenBSD 4.1 + screen 4.0.3 on x86.
How to reproduce:
Lock screen using ctrl+x
Choose a Password
Confirm the Password
Screen asks for a Password to unlock the screen.
Just press ctrl+c and it displays "Getpass error".
2 seconds later the screen is unlocked and you`ve access.
This is not reproducable with screen 4.0.3 on a Linux system. Also
with looking at the code of screen I can see no vulnerability in this
context. Can you show some code that proves your claim?
If not I suggest to get a better operating system distributor ;)
Lolek of TK53
P.S. It's ctrl-a x not ctrl-x
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/