After fiddling around with different signal codes and looking at the
process shown by Paul, it looks like we can replicate this bypass on
other systems now. Tested and working on OS X 10.4.9 (screen
4.00.03). By following the slightly modified procedure, it should be
repeatable across all systems.
~user(bash) $ screen
[system spawns two new pid, both for screen, and then a third pid for
bash]
Activity Monitor now shows (in hierarchy mode)
pid 4965 Terminal
\ pid 5111 login
\ pid 5112 bash
\ pid 5171 screen
\ pid 5172 screen
\ pid 5174 bash
~user(screen) $ echo Once the process is killed, I should not reappear.
Once the process is killed, I should not reappear.
~user(screen) $ ^a+x
Key: [1234]
Again: [1234]
Screen used by User <user>.
Password:
At this stage we now need to kill the right process. On OS X, screen
ignores the SIGINT sent by ^c, so we need to send it a SIGKILL.
Using your favourite process killer, kill the outer screen pid
(5171). If you vary the process, such as:
SIGKILL pid 5174 or 5172 - It will appear to not do anything, but
when the password is re-entered it will return an error that it can't
connect to session 5172.ttyp1.user and will terminate 5172 at this
time. Occasionally, it will not kill the parent process, or will
refuse the legitimate password, but normally it will terminate.
Running screen -r will identify one or more screens that could be
dead, but not able to access (then run screen -wipe to remove them
completely).
Password:Killed
~user(bash) $ screen -r
[automatically loads the following]
~user(screen) $ echo Once the process is killed, I should not reappear.
Once the process is killed, I should not reappear.
~user(screen) $
The system has spawned a completely new pid for screen, and has only
loaded a single instance of it. If the user now locks the screen it
will ask for the password all over again - it has forgotten the
original setting. If you are going to use it to poke around
someone's command history or screen use, then be aware of this result
(then again, if you knew the password in the beginning, why bother
with this process).
Have at it.
Carl
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
