screen 3.07.02

[khelbin () CONNIX COM (Khelbin)]

Screen 3.07.02, when setuid root (as it usually is), is possibly to a
buffer overflow at least on certain platforms.  I havn't read through all
the source but just looking quickly I noticed that attacher.c does the
following:

      struct passwd ppp;
      char fullname[100];

      strcpy(fullname, ppp->pw_gecos);

I was able to whip up a quick exploit but it failed to work here on BSDI
1.1 because chpass/chfn will not except certain characters.  Thus, reading
in shellcode into the Ful Name field produced an error message of "Illegal
Character found in the Full Name field,  re-edit [y]?" or something
similar.

Any OS or version of chfn/chpass which does not check for 'illegal
characters' or the length of the info being put into the field (BSDI 1.1
did not check length, only for illegal characters) may be vulnerable (i
didn't check if it had given up suid root privs yet, i was going to do
that by overflowing it with my shellcode string).

If anyone can check on different platforms and get back to me, I'd be
interested.  What I was doing was just putting my shellcode string into an
ENV variable (with the NOPs and ret address back to the NOPs) and echoing
the ENV variable to a file.  Then just read in that file when yer in
chpass/chfn as the new gecos info.

I really didn't take much time in looking through the code and found a
possible problem so I'm sure there's more.  Screen is a pretty big program
for being suid root and that old advice of not running programs you don't
need, especially suid ones, is always true.


 -khelbin
 email: khelbin () connix com