Screen cloaking 'feature'

Summary
Description:Versions of the popular program 'screen' allow users to cloak themselves out of wtmp/utmp and appear to not be logged on.
Author:Taz <taz@webmaster.com>
Compromise:Cloak yourself from finger/wtmp/utmp etc. using screen
Vulnerable Systems:Those running screen 3.7.4 and probably earlier, maybe later
Date:7 January 1998
Notes:I consider it a good thing when people send me bugs. Also, note that you can effect the same sort of thing as this by running 'xterm -ut' and then logging off
Details


Date: Wed, 7 Jan 1998 02:25:10 -0800 (PST)
From: Taz <taz@webmaster.com>
To: fyodor@nmap.org
Subject: screen, etc


Hello,

	This evening I was checking out your web site and noticed that you
didn't have the screen bug listed so let me give you a brief overview just
in case you havent heard of it.

	If screen is installed setuid like its supposed to be, then any
normal user can execute 'screen -ln' and they become cloaked. They are
temporarily removed from wtmp/utmp. From here you can execute any command
you want without fear of being seen in w/finger/who, etc. When your done
doing your secret commands, exit screen and you reappear in utmp/wtmp.

	This bug is still present in 3.7.4 which is the distributed
widely with the latest versions of FreeBSD so I would say its a problem.

[ cut ]

-taz

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]