Re: security vulnerabilities in screen

[ubellrj () LEXIS-NEXIS COM (Richard Bellingar)]

Stephen,
        The only screen related security issues I have seen discussions on
centered around the "glare" potential; i.e., someone stealing an active
screen session or "recovering" a disconnected screen session, rather than
problems or exposures relating to the SUID nature of the tool. If you hear
something about SUID-exposures, please pass it along (I use screen _a lot_
when I can't get an X session...)

Thanks.

rick.bellingar () lexis-nexis com
                                   ----+----
        Rick Bellingar, Staff Security Analyst, (513) 865-7005
        LEXIS-NEXIS, 9443 Springboro Pike, Miamisburg, Ohio 45342 (USA)

   -*-  Press on...persistence and determination alone are omnipotent  -*-

On Mon, 30 Oct 1995, Stephen E. Hansen wrote:

> Someone just send me a note asking if I was aware of any security
> vulnerabilities in the program "screen" (it uses ptty's for multiple
> sessions and session reconnects).  He was concerned because it claims
> to need to be suid root to function properly.  I have a fuzzy memory
> of there a security problem report about screen, but it was two or
> three years ago and I can't find it in my e-mail archive.
>
> Can any one out there verify that a problem exists or that a patched
> version is available?
>
> Thanks,
> Stephen Hansen
>
> --
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>  Stephen E. Hansen - Computer Security Officer - security () Stanford EDU
>   Room 319, Sweet Hall Stanford University, Stanford, CA 94305-3090
>   Phone: +1-415-723-2911    WWW: http://www.stanford.edu/~security
>   Fax:   +1-415-725-1548    PGP: finger security-pgp () netserver Stanford EDU
>
>   The church is near, but the road is icy.
>   The bar is far away, but I will walk carefully.  -- Russian Proverb