| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 7 Jun 2007 04:25:00 +0930 From: Sûnnet Beskerming <info@...kerming.com> To: Nico Golde <fd@...lde.de> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: screen 4.0.3 local Authentication Bypass - Working on multiple systems Hi Nico, I agree that there isn't much point in going through with the process if you already have an open shell. In order to replicate not only the original vulnerability report but the subsequent behaviour, it was the only method discovered that even came close. Source code analysis shows there isn't much opportunity to break out of the locked environment, and to get the response from screen that one of the earlier reports did you need to interrupt screen BEFORE it locks. Plus, it bugged me that a vulnerability put up on milw0rm wasn't working as advertised. Looking in at why BSD might be vulnerable but not other systems when a SIGINT is sent led me to look at what happened if another signal could replicate the process. While SIGHUP ended screen as well, it was only SIGKILL that then allowed you to reattach the supposedly killed screen with screen -r. I know there are some differences in the way BSD handles some signals when compared to Linux / Unix / OS X, but this behaviour is just plain odd. After all of that, I place this in the 'Interesting, but unlikely to have practical use' category (for the various reasons already covered). On 07/06/2007, at 2:41 AM, Nico Golde wrote: > Hi, > * Sûnnet Beskerming <info@...kerming.com> [2007-06-06 15:19]: > [...] >> ~user(screen) $ echo Once the process is killed, I should not >> reappear. >> Once the process is killed, I should not reappear. >> ~user(screen) $ ^a+x >> Key: [1234] >> Again: [1234] >> Screen used by User <user>. >> Password: >> >> At this stage we now need to kill the right process. On OS X, screen >> ignores the SIGINT sent by ^c, so we need to send it a SIGKILL. >> Using your favourite process killer, kill the outer screen pid >> (5171). If you vary the process, such as: > [...] > What is the point of locking screen with a password if you > have an open shell on the host??? In this case you can just > close the window an reattach the screen session. > Kind regards > Nico > -- > Nico Golde - JAB: nion@...ber.ccc.de | GPG: 0x73647CFF > Forget about that mouse with 3/4/5 buttons - > gimme a keyboard with 103/104/105 keys! > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ Carl Sûnnet Beskerming Pty. Ltd. Adelaide, Australia http://www.beskerming.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists