Debian Security Advisory

screen -- The "screen" program overflows when copying the gecos field.

Date Reported:
20 Feb 1997
Affected Packages:
screen
Vulnerable:
No
Security database references:
No other external database security references currently available.
More information:

The overflow exists, but screen surrenders root privileges before the code is executed.

Original submitter of the report: Khelbin <khelbin@connix.com>

Screen 3.07.02, when setuid root (as it usually is), is [susceptible] to a buffer overflow at least on certain platforms. I haven't read through all the source but just looking quickly I noticed that attacher.c does the following:

      struct passwd ppp;
      char fullname[100];

      strcpy(fullname, ppp->pw_gecos);

I was able to whip up a quick exploit but it failed to work here on BSDI 1.1 because chpass/chfn will not except certain characters. Thus, reading in shellcode into the Full Name field produced an error message of "Illegal Character found in the Full Name field, re-edit [y]?" or something similar.

Any OS or version of chfn/chpass which does not check for 'illegal characters' or the length of the info being put into the field (BSDI 1.1 did not check length, only for illegal characters) may be vulnerable (I didn't check if it had given up suid root privs yet, I was going to do that by overflowing it with my shellcode string).

What I was doing was just putting my shellcode string into an ENV variable (with the NOPs and ret address back to the NOPs) and echoing the ENV variable to a file. Then just read in that file when you are in chpass/chfn as the new gecos info.