SecuriTeam - GNU Screen Buffer Overflow (Negative Size)

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

SecuriTeam
Beyond Security

SecuriTeam Home
Ask the Team
Mailing Lists
Advertising Info
Blogs

Black Box Testing
Vulnerability Assessment
Vulnerability Scanner

	SecuriTeam in Your Inbox

	E-mail this article to a friend

New vulnerability?
New tool?
Tell us

A buffer overflow in GNU screen allows privilege escalation for local users. Usually screen is installed either setgid-utmp or setuid-root.

It also has some potential for remote attacks or getting control of another user's screen. The problem is that you have to transfer around 2-3 gigabytes of data to user's screen to exploit this vulnerability.

Credit:
The information has been provided by Timo Sirainen.

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable systems:
* GNU Screen version 4.0.1, 3.9.15 and older versions

Vulnerable code:
ansi.c:

            case '0': case '1': case '2': case '3': case '4':
            case '5': case '6': case '7': case '8': case '9':
              if (curr->w_NumArgs < MAXARGS)
                {
                  if (curr->w_args[curr->w_NumArgs] < 100000000)
                    curr->w_args[curr->w_NumArgs] =
                      10 * curr->w_args[curr->w_NumArgs] + (c - '0');
                }
              break;
            case ';':
            case ':':
              curr->w_NumArgs++;
              break;

w_NumArgs is signed integer, so after you've sent 2GB of ';' characters in escape sequence it wraps to negative and the < MAXARGS protection fails. Then it's only a matter of finding a position in memory where the next "if check" passes and does something useful.

Vendor status:
Sent a mail to screen@uni-erlangen.de (16.10), no reply. Sent a mail to screen mailing list (24.10), didn't help much.

Unofficial patch:
--- ansi.c.old  2003-11-15 18:04:12.000000000 +0200
+++ ansi.c      2003-11-15 18:04:51.000000000 +0200
@@ -559,7 +559,7 @@
            {
            case '0': case '1': case '2': case '3': case '4':
            case '5': case '6': case '7': case '8': case '9':
-             if (curr->w_NumArgs < MAXARGS)
+             if (curr->w_NumArgs >= 0 && curr->w_NumArgs < MAXARGS)
                {
                  if (curr->w_args[curr->w_NumArgs] < 100000000)
                    curr->w_args[curr->w_NumArgs] =
--- resize.c.old        2003-11-27 02:55:07.000000000 +0200
+++ resize.c    2003-11-27 02:58:33.000000000 +0200
@@ -682,6 +682,17 @@
   if (wi == 0)
     he = hi = 0;

+  if (wi > 1000)
+    {
+      Msg(0, "Window width too large, truncated");
+      wi = 1000;
+    }
+  if (he > 1000)
+    {
+      Msg(0, "Window height too large, truncated");
+      he = 1000;
+    }
+
   if (p->w_width == wi && p->w_height == he && p->w_histheight == hi)
     {
       debug("ChangeWindowSize: No change.\n");

	PHP dba_replace() Arbitrary File Destruction
	VLC Media Player RealText Processing Stack Overflow Vulnerability
	LibSPF2 DNS TXT Record Parsing Bug
	GNU Enscript "setfilename" Special Escape Buffer Overflow
	File-Find-Object Format String Vulnerability
	Veritas Storage Foundation Arbitrary File Read Vulnerability
	Sun Solstice AdminSuite sadmind adm_build_path() Buffer Overflow Vulnerability
	Apache Tomcat Information Disclosure (RemoteFilterValve)
	Apple CUPS HP-GL/2 filter Code Execution Vulnerability
	WordPress MU wpmu-Blogs.php Crose Site Scrpting Vulnerability
	strongSwan IKEv2 Denial of Service Vulnerability
	Cross-Site Scripting Filter Evasion in Various Frameworks / Applications
	MySQL Charset Truncation Vulnerability
	Wordpress user_login Column SQL Truncation Vulnerability
	Joomla Weak Random Password Reset Token Vulnerability