GNU Screen contains a flaw that may allow a malicious user to gain access to a locked screen session. The issue is triggered when a screen session is locked using "ctrl-a x:", and an attacker types CTRL-C at the password prompt to abort the lock mechanism. Typing "screen -r" to restore the detached screen will grant access without prompting for the password.

Currently, there are no known workarounds or upgrades to correct this issue. However, Tobias Ulmer, OpenBSD contributor, has released an unofficial patch to address this vulnerability.

• CVE ID: 2007-3048 (see also: NVD)
• ISS X-Force ID: 34693
• Exploit Database: 4028
• Milw0rm: 4028
• Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2007-06/thread.html#20
  http://archives.neohapsis.com/archives/fulldisclosure/2008-06/0228.html
• Vendor Specific News/Changelog Entry: http://archives.neohapsis.com/archives/openbsd/2008-06/1408.html
  http://www.mail-archive.com/[email protected]/msg00056.html
  http://www.mail-archive.com/[email protected]/msg00058.html
• Other Solution URL: http://archives.neohapsis.com/archives/openbsd/2008-06/1408.html
• Vendor URL: http://www.gnu.org/software/screen/

• Rembrandt - rembrandthelith.net - Helith