GNU Screen Integer Overflow in 'ansi.c' May Let Local Users Gain Elevated Privileges
|
|
SecurityTracker Alert ID: 1008321
|
|
CVE Reference: CAN-2003-0972
(Links to External Site)
|
Updated: Dec 2 2003
|
Original Entry Date: Nov 27 2003
|
Impact: Execution of arbitrary code via local system, Root access via local system, User access via local system
|
Version(s): 4.0.1, 3.9.15, and prior versions
|
Description: A vulnerability was reported in GNU Screen. A local user may be able to execute arbitrary code to gain elevated privileges on the target system.
It is reported that a local user can send 2 to 3 gigabytes of data to a target user's screen to trigger a flaw in 'ansi.c'. A large
amount of data can reportedly cause the 'w_NumArgs' signed integer to overflow to a negative value, causing a check to ensure that
the number of arguments is less than 'MAXARGS' to fail.
The report indicates that screen is typically installed with set user
id (setuid) root user privileges of set group id (setgid) utmp group privileges.
The vendor has reportedly been notified.
|
Impact: A local user can execute arbitrary code with the privileges of GNU screen (which may be root user privileges or utmp group privileges, depending on the installation).
|
Solution: No solution was available at the time of this entry.
An unofficial patch is provided in the Source Message.
|
Vendor URL: www.gnu.org/software/screen/screen.html (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: Timo Sirainen <tss@iki.fi>
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Thu, 27 Nov 2003 03:29:05 +0200
From: Timo Sirainen <tss@iki.fi>
Subject: GNU screen buffer overflow
|
--=-xAi1O01G8iDQERjUdbR1
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Summary
-------
Buffer overflow in GNU screen allows privilege escalation for local users.
Usually screen is installed either setgid-utmp or setuid-root.
It also has some potential for remote attacks or getting control of another
user's screen. The problem is that you have to transfer around 2-3 gigabyte=
of data to user's screen to exploit this vulnerability.
4.0.1, 3.9.15 and older versions are vulnerable.
Details
-------
ansi.c:
case '0': case '1': case '2': case '3': case '4':
case '5': case '6': case '7': case '8': case '9':
if (curr->w_NumArgs < MAXARGS)
{
if (curr->w_args[curr->w_NumArgs] < 100000000)
curr->w_args[curr->w_NumArgs] =3D
10 * curr->w_args[curr->w_NumArgs] + (c - '0');
}
break;
case ';':
case ':':
curr->w_NumArgs++;
break;
w_NumArgs is signed integer, so after you've sent 2GB of ';' characters in
escape sequence it wraps to negative and the < MAXARGS protection fails.
Then it's only a matter of finding a position in memory where the next if
check passes and does something useful. I would guess there are multiple su=
ch
possibilities, but I didn't try to find any.
Window sizes
------------
I didn't really check this, but the code looked like there could be some
problems with large window sizes (eg. ESC[100000;100000t).
Vendor status
-------------
Sent a mail to screen@uni-erlangen.de (16.10), no reply.
Sent a mail to screen mailing list (24.10), didn't help much.
Patch
-----
--- ansi.c.old 2003-11-15 18:04:12.000000000 +0200
+++ ansi.c 2003-11-15 18:04:51.000000000 +0200
@@ -559,7 +559,7 @@
{
case '0': case '1': case '2': case '3': case '4':
case '5': case '6': case '7': case '8': case '9':
- if (curr->w_NumArgs < MAXARGS)
+ if (curr->w_NumArgs >=3D 0 && curr->w_NumArgs < MAXARGS)
{
if (curr->w_args[curr->w_NumArgs] < 100000000)
curr->w_args[curr->w_NumArgs] =3D
--- resize.c.old 2003-11-27 02:55:07.000000000 +0200
+++ resize.c 2003-11-27 02:58:33.000000000 +0200
@@ -682,6 +682,17 @@
if (wi =3D=3D 0)
he =3D hi =3D 0;
=20
+ if (wi > 1000)
+ {
+ Msg(0, "Window width too large, truncated");
+ wi =3D 1000;
+ }
+ if (he > 1000)
+ {
+ Msg(0, "Window height too large, truncated");
+ he =3D 1000;
+ }
if (p->w_width =3D=3D wi && p->w_height =3D=3D he && p->w_histheight =3D=
=3D hi)
{
debug("ChangeWindowSize: No change.\n");
--=-xAi1O01G8iDQERjUdbR1
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQA/xVNgyUhSUUBViskRAkEsAJ9DBdF/BNff5pywzD0mbmUE4UVhhgCgkL+r
XIS010+51I+YtUOkC/J2+Sk=
=9m1d
-----END PGP SIGNATURE-----
--=-xAi1O01G8iDQERjUdbR1--
|
|
