lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <AAF77B91-B4AC-498E-BBB8-9447F7E15429@beskerming.com>
Date: Tue, 5 Jun 2007 15:32:05 +0930
From: Sûnnet Beskerming <info@...kerming.com>
To: warl0ck@...aeye.org,
 rembrandt@...erlin.de
Cc: Lolek of TK53 <lolek1337@...glemail.com>, full-disclosure@...ts.grok.org.uk
Subject: Re: screen 4.0.3 local Authentication Bypass

Hi,

What you've done below is actually sent a SIGINT (^c) at the start of  
the screen lock process, and not actually locked the screen.  In  
order to get the 'Getpass error' (which is what the original report  
alerted on), then you pass through both rounds of key acceptance, but  
fail prior to actual locking of the screen.  It will then sleep(2)  
with the 'Getpass error' before returning to the original prompt.   
NOTE - screen was never locked at this point.

The normal method of operation:

~user(bash) $screen
(press enter to ack info)
~user(screen) $^a+x
Key:	<-- Enter a password
Again:	<-- Re-enter
Screen used by User <user>.
Password: <-- Same password as above
~user(screen) $exit
~user(bash) $

If you send the SIGINT at the first Key: prompt, you haven't actually  
locked screen, but it will drop you back down to the screen prompt

~user(bash) $screen
(press enter to ack info)
~user(screen) $^a+x
Key: ^c
~user(screen) $exit
~user(bash) $

If you follow the instructions to the letter, you tend to get this on  
a non-BSD system:

~user(bash) $screen
(press enter to ack info)
~user(screen) $^a+x
Key:	<-- Enter a password
Again:	<-- Re-enter
Screen used by User <user>.
Password: ^c
Screen used by User <user>.
Password: ^c
Screen used by User <user>.
Password: ^c

If (and a big if) BSD is sending the SIGINT to screen as a whole,  
then what may be happening is the SIGINT terminating screen itself:

~user(bash) $screen
(press enter to ack info)
~user(screen) $^a+x
Key:	<-- Enter a password
Again:	<-- Re-enter
Screen used by User <user>.
Password: ^c
~user(bash) $

It may even be poor handling of SIGRETURN, though it should be noted  
that OS X also uses SIGRETURN in the same way that BSD does.  If it  
is poor handling of SIGRETURN, this might explain why (from the man  
page):

     "Sigreturn() allows users to atomically unmask, switch stacks,  
and return
      from a signal context.  The processes signal mask and stack  
status are
      restored from the context.  The system call does not return;  
the users
      stack pointer, frame pointer, argument pointer, and processor  
status
      longword are restored from the context.  Execution resumes at  
the speci-
      fied pc."

The code applicable to the LockTerminal() function can be found in  
attacher.c, which has not changed over the last several versions -  
suggesting that older versions of the code may also be at risk.   
Again, in order to get the errors as claimed in the advisory, screen  
DOES NOT lock.

On 05/06/2007, at 9:58 AM, Pranay Kanwar wrote:

> Hi,
>
> Verified on OpenBSD
>
> $ uname -a
> OpenBSD drake 4.1 GENERIC#172 i386
> $ pkg_info screen
> Information for inst:screen-4.0.3p0
>
> Comment:
> multi-screen window manager
> ------output snipped------
>
> $screen
> Then pressing space-bar to continue
>
> Locking the screen with C-a C-x.
>
> Pressing Ctrl+C
>
> Key:
> Getpass error
> $
>
> The screen gets unlocked without entering a password.
>
> Regards
>
> warl0ck // MSG
> http://www.metaeye.org
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

Carl

Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ