Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 607116 (CVE-2017-5618) - =app-misc/screen-4.5.0 - root privilege escalation when /usr/bin/screen is set setgid/setuid with -L <file>
Summary: =app-misc/screen-4.5.0 - root privilege escalation when /usr/bin/screen is se...
Status: RESOLVED FIXED
Alias: CVE-2017-5618
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: ~1 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-01-24 21:29 UTC by Jeroen Roovers (RETIRED)
Modified: 2017-01-29 23:55 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jeroen Roovers (RETIRED) gentoo-dev 2017-01-24 21:29:19 UTC
URL:
  <http://savannah.gnu.org/bugs/?50142>

                 Summary: root exploit 4.5.0
                 Project: GNU Screen
            Submitted by: None
            Submitted on: Tue 24 Jan 2017 07:05:09 PM UTC
                Category: Program Logic
                Severity: 3 - Normal
                Priority: 5 - Normal
                  Status: None
                 Privacy: Private
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
                 Release: None
           Fixed Release: None
         Planned Release: None
           Work Required: None

    _______________________________________________________

Details:

Commit f86a374 ("screen.c: adding permissions check for the logfile name",
2015-11-04)

The check opens the logfile with full root privileges. This allows us to
truncate any file or create a root-owned file with any contents in any
directory and can be easily exploited to full root access in several ways.

> buczek@theinternet:~$ screen --version
> Screen version 4.05.00 (GNU) 10-Dec-16
> buczek@theinternet:~$ id
> uid=125(buczek) gid=125(buczek)  
groups=125(buczek),15(users),19(adm),42(admin),154(Omp3grp),200(algrgrp),209(cdgrp),242(gridgrp),328(nchemgrp),407(hoeheweb),446(spwgrp),453(helpdesk),512(twikigrp),584(zmgrp),598(edv),643(megamgrp),677(greedgrp),5000(abt_srv),16003(framesgr),16012(chrigrp),17001(priv_cpw)
> buczek@theinternet:~$ cd /etc
> buczek@theinternet:/etc (master)$ screen -D -m -L bla.bla echo fail
> buczek@theinternet:/etc (master)$ ls -l bla.bla
> -rw-rw---- 1 root buczek 6 Jan 24 19:58 bla.bla
> buczek@theinternet:/etc (master)$ cat bla.bla
> fail
> buczek@theinternet:/etc (master)$   

Donald Buczek <buczek@molgen.mpg.de>
Comment 1 Hanno Böck gentoo-dev 2017-01-24 22:07:53 UTC
Please also note bug #591772 - it currently prevents screen from being usable without suid.
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-25 08:33:50 UTC
The screen-devel mailing list says that reverting [1] brings back an older problem but also fixes this vulnerability.


[1] http://git.savannah.gnu.org/cgit/screen.git/commit/?h=screen-v4&id=5460f5d28c01a9a58e021eb1dffef2965e629d58
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-25 10:29:24 UTC
(In reply to Jeroen Roovers from comment #2)
> The screen-devel mailing list says that reverting [1] brings back an older
> problem but also fixes this vulnerability.
> 
> 
> [1]
> http://git.savannah.gnu.org/cgit/screen.git/commit/?h=screen-
> v4&id=5460f5d28c01a9a58e021eb1dffef2965e629d58

And Debian has rolled out a revision that does exactly that.

https://packages.qa.debian.org/s/screen/news/20170124T223559Z.html
Comment 4 Sven Wegener gentoo-dev 2017-01-29 09:14:05 UTC
I've addedd 4.5.0-r1, reverting the upstream commit.
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-29 21:05:23 UTC
So that's fixed, then.
Comment 6 Thomas Deutschmann gentoo-dev 2017-01-29 23:55:54 UTC
So bug was only present in a new version which only appeared in ~ARCH. Repository is clean, no need to stabilize anything.

Thank you maintainer(s)!