Home page logo

fulldisclosure logo Full Disclosure mailing list archives

screen 4.0.3 local Authentication Bypass - Working on multiple systems
From: Sûnnet Beskerming <info () beskerming com>
Date: Wed, 6 Jun 2007 20:33:08 +0930

After fiddling around with different signal codes and looking at the  
process shown by Paul, it looks like we can replicate this bypass on  
other systems now.  Tested and working on OS X 10.4.9 (screen  
4.00.03).  By following the slightly modified procedure, it should be  
repeatable across all systems.

~user(bash) $ screen
[system spawns two new pid, both for screen, and then a third pid for  
Activity Monitor now shows (in hierarchy mode)
pid 4965 Terminal
   \ pid 5111 login
     \ pid 5112 bash
       \ pid 5171 screen
         \ pid 5172 screen
           \ pid 5174 bash

~user(screen) $ echo Once the process is killed, I should not reappear.
Once the process is killed, I should not reappear.
~user(screen) $ ^a+x
Key: [1234]
Again: [1234]
Screen used by User <user>.

At this stage we now need to kill the right process.  On OS X, screen  
ignores the SIGINT sent by ^c, so we need to send it a SIGKILL.   
Using your favourite process killer, kill the outer screen pid  
(5171).  If you vary the process, such as:
        SIGKILL pid 5174 or 5172 - It will appear to not do anything, but  
when the password is re-entered it will return an error that it can't  
connect to session 5172.ttyp1.user and will terminate 5172 at this  
time.  Occasionally, it will not kill the parent process, or will  
refuse the legitimate password, but normally it will terminate.   
Running screen -r will identify one or more screens that could be  
dead, but not able to access (then run screen -wipe to remove them  

~user(bash) $ screen -r
[automatically loads the following]

~user(screen) $ echo Once the process is killed, I should not reappear.
Once the process is killed, I should not reappear.
~user(screen) $

The system has spawned a completely new pid for screen, and has only  
loaded a single instance of it.  If the user now locks the screen it  
will ask for the password all over again - it has forgotten the  
original setting.  If you are going to use it to poke around  
someone's command history or screen use, then be aware of this result  
(then again, if you knew the password in the beginning, why bother  
with this process).

Have at it.


Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]