Screen cloaking 'feature'
| Description: | Versions of the popular program 'screen' allow users to cloak themselves out of wtmp/utmp and appear to not be logged on. |
| Author: | Taz <taz@webmaster.com> |
| Compromise: | Cloak yourself from finger/wtmp/utmp etc. using screen |
| Vulnerable Systems: | Those running screen 3.7.4 and probably earlier, maybe later |
| Date: | 7 January 1998 |
| Notes: | I consider it a good thing when people send me bugs. Also, note that you can effect the same sort of thing as this by running 'xterm -ut' and then logging off |
Date: Wed, 7 Jan 1998 02:25:10 -0800 (PST)
From: Taz <taz@webmaster.com>
To: fyodor@nmap.org
Subject: screen, etc
Hello,
This evening I was checking out your web site and noticed that you
didn't have the screen bug listed so let me give you a brief overview just
in case you havent heard of it.
If screen is installed setuid like its supposed to be, then any
normal user can execute 'screen -ln' and they become cloaked. They are
temporarily removed from wtmp/utmp. From here you can execute any command
you want without fear of being seen in w/finger/who, etc. When your done
doing your secret commands, exit screen and you reappear in utmp/wtmp.
This bug is still present in 3.7.4 which is the distributed
widely with the latest versions of FreeBSD so I would say its a problem.
[ cut ]
-taz
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
world.
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources:
