screen 3.9.5 root culnerability

News, Internal, Projects, Home
Software, Support, Documentation

screen 3.9.5 root culnerability

To: <questions@xxxxxxxxxxxxxx>
Subject: screen 3.9.5 root culnerability
From: 이진규 <wolf@xxxxxxxxxxxxxxxxx>
Date: Fri, 8 Sep 2000 09:36:46 +0900
Content-transfer-encoding: 8bit
Content-type: text/plain;charset="ks_c_5601-1987"
Importance: Normal
Reply-to: questions@xxxxxxxxxxxxxx
Sender: owner-questions@xxxxxxxxxxxxxx

안녕하세요..아....초보라서 글을 올리는거가 아이 남사시러....-_-a
시큐리티에 넣어야하는데 멀라서뤼...
이건 9.7일자로 올라온 시큐리티입니다...이틀정도 지났죠..^^
A vulnerability exists in the program "screen" versions 3.9.5 and earlier. If screen is installed setuid root, a local user may gain root privilege. There are some systems where the program isn't setuid root by default, but on many systems (SuSE Linux, Red Hat 5.2 and earlier, *BSD ports packages, Solaris, and others) it is - making this vulnerability very dangerous. 

Vulnerable systems: 
NetBSD 
FreeBSD 
OpenBSD (screen is a part of the ports collection) 
Red Hat Linux 5.2 and earlier 
SuSE Linux 
Solaris 
Many other commercial UNIX flavors 

To quickly check if your version is vulnerable, have these two lines in ~/.screenrc: 

vbell on 
vbell_msg '%x' 

Set TERM to vt100, start screen and press ctrl-G (you may need to issue the command echo ^V^G to get a visual bell). If you see a hexadecimal number on the last line, your version of screen is vulnerable. However it can't be exploited unless the program is installed setuid root. 

Immune systems: 
Red Hat Linux 6.0 and later, most other Linux distributions 

The bug is located in screen.c in function serv_select_fn(): 

... 
else if (visual && !D_VB && (!D_status || !D_status_bell)) 
{ 
D_status_delayed = -1; 
Msg(0, VisualBellString); 
if (D_status) 
{ 
... 

Msg() feeds the second argument to sprintf() and since VisualBellString is user defined, we have a classical format bug. From there, a malicious user can either do the old trick and write over a return address in stack, or for instance, write over the real_uid variable where screen saves the user id. After zeroing this variable with the format string the user can just open a new window with a root shell in it. 

For this reason the bug is quite platform-independent; neither shell code nor executable stack is needed. The vulnerability has been tested on Linux, Intel and ppc architectures. 

Workaround: 

Removing the setuid bit from the binary makes it impossible to be exploited: 

$ chmod 111 /usr/local/bin/screen (or /usr/bin/screen) 

Note that this may require some changes to the mode of screen's socket dir (usually /tmp/screens). Consult screen documentation for more info. 

Solution: 
Screen authors (and some OS vendors) have been informed and a new version of screen can be retrieved from: 
ftp://ftp.uni-erlangen.de/pub/utilities/screen/screen-3.9.8.tar.gz 

Diffs relative to version 3.9.5: 
ftp://ftp.uni-erlangen.de/pub/utilities/screen/screen-3.9.5-3.9.8.diff.gz 

제가 영어가 딸려써요...다들 수고하세요..
--
To Unsubscribe: send mail to majordomo@kr.FreeBSD.org
with "unsubscribe questions" in the BODY of the message

[ 날짜순 색인 ] [ 댓글순 색인 ] [ 최상위 색인]