[Full-disclosure] screen 4.0.3 local Authentication Bypass
Lolek of TK53
lolek1337 at googlemail.com
Mon Jun 4 18:00:38 BST 2007
Hi,
On 6/4/07, rembrandt at jpberlin.de <rembrandt at jpberlin.de> wrote:
> Please take a look at the Attachement dear List moderator. :)
...
> It has been tested on OpenBSD 4.1 + screen 4.0.3 on x86.
>
> How to reproduce:
>
> Lock screen using ctrl+x
> Choose a Password
> Confirm the Password
>
> Screen asks for a Password to unlock the screen.
> Just press ctrl+c and it displays "Getpass error".
> 2 seconds later the screen is unlocked and you`ve access.
This is not reproducable with screen 4.0.3 on a Linux system. Also
with looking at the code of screen I can see no vulnerability in this
context. Can you show some code that proves your claim?
If not I suggest to get a better operating system distributor ;)
Cheers
Lolek of TK53
P.S. It's ctrl-a x not ctrl-x
Full-Disclosure is hosted and sponsored by Secunia.