Bugtraq mailing list archives
screen 3.07.02
From: khelbin () CONNIX COM (Khelbin)
Date: Thu, 20 Feb 1997 21:23:31 -0500
Screen 3.07.02, when setuid root (as it usually is), is possibly to a buffer overflow at least on certain platforms. I havn't read through all the source but just looking quickly I noticed that attacher.c does the following: struct passwd ppp; char fullname[100]; strcpy(fullname, ppp->pw_gecos); I was able to whip up a quick exploit but it failed to work here on BSDI 1.1 because chpass/chfn will not except certain characters. Thus, reading in shellcode into the Ful Name field produced an error message of "Illegal Character found in the Full Name field, re-edit [y]?" or something similar. Any OS or version of chfn/chpass which does not check for 'illegal characters' or the length of the info being put into the field (BSDI 1.1 did not check length, only for illegal characters) may be vulnerable (i didn't check if it had given up suid root privs yet, i was going to do that by overflowing it with my shellcode string). If anyone can check on different platforms and get back to me, I'd be interested. What I was doing was just putting my shellcode string into an ENV variable (with the NOPs and ret address back to the NOPs) and echoing the ENV variable to a file. Then just read in that file when yer in chpass/chfn as the new gecos info. I really didn't take much time in looking through the code and found a possible problem so I'm sure there's more. Screen is a pretty big program for being suid root and that old advice of not running programs you don't need, especially suid ones, is always true. -khelbin email: khelbin () connix com
Current thread:
- screen 3.07.02 Khelbin (Feb 20)