Описание
Screen 5.0.0 when it runs with setuid-root privileges does not drop privileges while operating on a user supplied path. This allows unprivileged users to create files in arbitrary locations with root ownership, the invoking user's (real) group ownership and file mode 0644. All data written to the Screen PTY will be logged into this file, allowing to escalate to root privileges
A flaw was found in Screen. When running with setuid-root privileged, the logfile_reopen() function does not drop privileges while operating on a user-supplied path. This vulnerability allows an unprivileged user to create files in arbitrary locations with root ownership.
Отчет
This vulnerability only affects Screen versions 5.0.0 and above. This is a moderate vulnerability because it allows creation or modification of root-owned files only with controlled PTY output and fixed permissions (0644), without enabling arbitrary code execution or full root access. Exploitation relies on triggering logfile_reopen() by manipulating the logfile’s link count or size, which limits reliability. While it breaks expected privilege boundaries, the impact is constrained to integrity issues like log injection or limited file manipulation, justifying a moderate severity classification.
Меры по смягчению последствий
No mitigation is currently available that meets Red Hat Product Security’s standards for usability, deployment, applicability, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | screen | Not affected | ||
| Red Hat Enterprise Linux 7 | screen | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
6.8 Medium
CVSS3
Связанные уязвимости
Screen 5.0.0 when it runs with setuid-root privileges does not drop privileges while operating on a user supplied path. This allows unprivileged users to create files in arbitrary locations with `root` ownership, the invoking user's (real) group ownership and file mode 0644. All data written to the Screen PTY will be logged into this file, allowing to escalate to root privileges
Screen 5.0.0 when it runs with setuid-root privileges does not drop privileges while operating on a user supplied path. This allows unprivileged users to create files in arbitrary locations with `root` ownership, the invoking user's (real) group ownership and file mode 0644. All data written to the Screen PTY will be logged into this file, allowing to escalate to root privileges
Screen 5.0.0 when it runs with setuid-root privileges does not drop pr ...
Screen 5.0.0 when it runs with setuid-root privileges does not drop privileges while operating on a user supplied path. This allows unprivileged users to create files in arbitrary locations with `root` ownership, the invoking user's (real) group ownership and file mode 0644. All data written to the Screen PTY will be logged into this file, allowing to escalate to root privileges
Уязвимость функции logfile_reopen() терминального мультиплексора GNU screen, позволяющая нарушителю осуществить запись данных в произвольный файл с root-привилегиями
EPSS
6.8 Medium
CVSS3