COMMAND
screen
SYSTEMS AFFECTED
Systems running screen 3.7.4 (others?)
PROBLEM
Velocity found following. This is a problem present in screen
3.7.4. When a user uses ^A > in screen to save whatever he has
cut, the file /tmp/screen-exchange is created. This file contains
whatever was in the cut buffer at the time. This can be exploited.
If a normal user links /tmp/screen-exchange to a sensetive file,
such as /etc/passwd, whenever root uses ^A > to save his buffer
to file, whatever file /tmp/screen-exchage is linked to, is
overwritten.
SOLUTION
Why would anyone use screen? Disable it. Here goes a temporary
fix for screen /tmp race (by Marcelo Tosatti).
diff -Nur screen-3.7.4/process.c screen-3.7.4.fix/process.c
--- screen-3.7.4/process.c Thu May 1 15:00:05 1997
+++ screen-3.7.4.fix/process.c Tue Aug 18 14:12:31 1998
@@ -20,7 +20,7 @@
*
****************************************************************
*/
-
+extern char bufferfile[100];
#include "rcs.h"
RCS_ID("$Id: process.c,v 1.27 1994/05/31 12:32:39 mlschroe Exp $ FAU")
@@ -1628,7 +1628,7 @@
#ifdef COPY_PASTE
case RC_BUFFERFILE:
if (*args == 0)
- BufferFile = SaveStr(DEFAULT_BUFFERFILE);
+ BufferFile = SaveStr(bufferfile);
else if (ParseSaveStr(act, &BufferFile))
break;
if (msgok)
diff -Nur screen-3.7.4/screen.c screen-3.7.4.fix/screen.c
--- screen-3.7.4/screen.c Sat May 10 09:21:27 1997
+++ screen-3.7.4.fix/screen.c Tue Aug 18 14:10:59 1998
@@ -20,7 +20,7 @@
*
****************************************************************
*/
-
+extern char bufferfile[100];
#include "rcs.h"
RCS_ID("$Id: screen.c,v 1.23 1994/05/31 12:32:51 mlschroe Exp $ FAU")
@@ -426,9 +426,6 @@
VisualBellString = SaveStr(" Wuff, Wuff!! ");
ActivityString = SaveStr("Activity in window %");
screenlogfile = SaveStr("screenlog.%n");
-#ifdef COPY_PASTE
- BufferFile = SaveStr(DEFAULT_BUFFERFILE);
-#endif
ShellProg = NULL;
#ifdef POW_DETACH
PowDetachString = 0;
@@ -915,7 +912,9 @@
{
sprintf(SockPath, "%s/.iscreen", home);
SockDir = SockPath;
- }
+ snprintf(bufferfile,sizeof(bufferfile),"%s/.screen-exchange",home);
+
+}
#endif
if (SockDir)
{
@@ -963,6 +962,12 @@
}
#endif
}
+#ifdef COPY_PASTE
+ strncpy(bufferfile,SockPath,sizeof(bufferfile)) [sizeof(bufferfile) - 1] = '\0';
+ strncat(bufferfile,"/screen-exchange",sizeof(bufferfile) - strlen (bufferfile));
+
+ BufferFile = SaveStr(bufferfile);
+#endif
if (stat(SockPath, &st) == -1)
Panic(errno, "Cannot access %s", SockPath);
diff -Nur screen-3.7.4/screen.h screen-3.7.4.fix/screen.h
--- screen-3.7.4/screen.h Mon Apr 14 14:36:17 1997
+++ screen-3.7.4.fix/screen.h Tue Aug 18 14:11:20 1998
@@ -21,7 +21,7 @@
****************************************************************
* $Id: screen.h,v 1.12 1994/05/31 12:32:54 mlschroe Exp $ FAU
*/
-
+char bufferfile[100];
#include "os.h"
#if defined(__STDC__)
@@ -89,7 +89,7 @@
*/
#define MAXHISTHEIGHT 3000
#define DEFAULTHISTHEIGHT 100
-#define DEFAULT_BUFFERFILE "/tmp/screen-exchange"
+/*#define DEFAULT_BUFFERFILE "/screen-exchange"*/
#define TTY_FLAG_PLAIN 0x01
Here goes a fix for all screen problems (but only on SysV):
export SCREENDIR=~/screen
chmod 755 /usr/bin/screen