[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Screen 3.9.5 root vulnerability

Title: Screen 3.9.5 root vulnerability
Released by:
Date: 4th September 2000
Printable version: Click here
PROBLEM DESCRIPTION



A vulnerability exists in the program "screen" version 3.9.5 and earlier.

If screen is installed setuid root, a local user may gain root privilege.

There are many systems where the program isn't setuid root by default, but

on many systems (afaik at least SuSE Linux, Red Hat 5.2 and earlier, *BSD ports

packages, Solaris, other commercial unices) it is, making them vulnerable.



To quickly check if your version is vulnerable, have these two lines in

~/.screenrc:



vbell on

vbell_msg '%x'



Set TERM to vt100, start screen and press ctrl-G (you may need to issue the

command echo ^V^G to get a visual bell). If you see a hexadecimal number on

the last line, your version of screen is vulnerable. However it can't be

exploited unless the program is installed setuid root.







BUG DETAILS



The bug is located in screen.c in function serv_select_fn():



...

              else if (visual && !D_VB && (!D_status || !D_status_bell))

                {

                  D_status_delayed = -1;

                  Msg(0, VisualBellString);

                  if (D_status)

                    {

...



Msg() feeds the second argument to sprintf() and since VisualBellString is

user defineable, we have a classical format bug. From there, a malicious user

can either do the old trick and write over a return address in stack, or for

instance, write over the real_uid variable where screen saves the user id.

After zeroing this variable with the format string the user can just open

a new window with a root shell in it.



For this reason the bug is quite platform-independent; no shell code nor 

executable stack is needed. The vulnerability has been tested on Linux, Intel

and ppc architectures.







VULNERABLE SYSTEMS



NetBSD, FreeBSD, OpenBSD (screen is a part of the ports collection)

Red Hat Linux 5.2 and earlier, SuSE Linux, Solaris, many commercial unices







NOT VULNERABLE



Red Hat Linux 6.0 and later, most other Linux distributions







WORKAROUND



Removing the setuid bit from the binary makes it impossible to be

exploited:



chmod 111 /usr/local/bin/screen        # or /usr/bin/screen



BUT this may require some changes to the mode of screen's socket dir

(usually /tmp/screens). Consult screen documentation for more info.







SOLUTION



Screen authors (and some OS vendors) have been informed and a new version

of screen can be retrieved from 



http://ftp.uni-erlangen.de/pub/utilities/screen/screen-3.9.8.tar.gz



and diffs relative to version 3.9.5:



http://ftp.uni-erlangen.de/pub/utilities/screen/screen-3.9.5-3.9.8.diff.gz





Vendor patches for vulnerable systems have been released, or will be

released shortly.







CREDITS



Vulnerability discovered by: Jouko Pynnönen







--

Jouko Pynnönen           Online Solutions Ltd       Secure your Linux -

jouko@solutions.fi                                  http://www.secmod.com








(C) 1999-2000 All rights reserved.