An gano lahani guda biyar a cikin GNU mai sarrafa taga na'ura mai kwakwalwa (terminal multiplexer), wanda ke ba da damar dubawar taga mai yawa a cikin na'ura wasan bidiyo. Batun mafi haɗari (CVE-5-2025) yana ba da damar samun damar tushen tushen akan tsarin. An haɗa gyara a cikin allon yau 23395 saki.
Rashin lafiyar CVE-2025-23395 yana shafar reshen allo na 5.0.0 ne kawai, wanda ke jigilar shi tare da Fedora. Linux, Arch Linux, NetBSD, OpenBSD da Alpine. IN Debian, Ubuntu, RHEL (EPEL 9), Gentoo, FreeBSD, SUSE/openSUSE, da OpenWrt suna ci gaba da jigilar reshen allon 4.x. Amfani da raunin yana yiwuwa akan tsarin da ke shigar da allon da za a iya aiwatarwa tare da tutar tushen setuid, kamar Arch. Linux da NetBSD. A cikin Fedora, ana shigar da kayan aikin tare da tutar setgid don ba da izinin rukunin allo, yana ba da damar sanya soket a cikin kundin tsarin /run/allo, wanda ke iyakance yuwuwar hare-haren hana sabis.
Rashin lahani yana faruwa ne ta gaskiyar cewa lokacin da aka kunna tare da tushen gata, ana aiwatar da aikin logfile_reopen() kafin a watsar da gatan, amma aiwatar da bayanai cikin mahallin kundayen adireshi na allo mai gudana mara gata na yanzu. Yana da kyau a lura cewa buɗewar farko na log ɗin ana yin shi tare da madaidaiciyar sake saiti na gata, amma lokacin sake buɗe fayil ɗin tare da log ɗin, sake saitin gata ba a yi ba.
Ta hanyar sarrafa yanayin shigar abun ciki na zaman, mai amfani zai iya cimma rubutattun bayanai zuwa fayil tare da haƙƙoƙin tushen, yayin da fayil ɗin kanta za a iya adana shi a cikin littafin adireshin gida na mai amfani. Harin ya ƙunshi share fayil ɗin log ɗin da aka ƙirƙira da maye gurbin shi tare da hanyar haɗin yanar gizo na alama da ke nuna kowane fayil a cikin tsarin. Idan fayil ɗin ya riga ya wanzu, bayanan da ke ɗauke da abubuwan allo a cikin zaman allo za a haɗa su ba tare da canza mai shi ba. Idan fayil ɗin ba ya wanzu, za a ƙirƙira shi tare da izini 0644, tushen mai shi da rukuni azaman mai amfani na yanzu.
Algorithm na harin da ke ƙirƙirar fayil ɗin /etc/profile.d/exploit.sh tare da umarnin "chown $ USER / tushen":
- Ƙirƙiri zaman allo tare da kunna shigar $ allo -Logfile $HOME/screen.log
- Latsa haɗin maɓalli Ctrl-aH don kunna shiga.
- Share fayil ɗin log ɗin da maye gurbin shi tare da hanyar haɗi na alama, wanda zai haifar da fayil ɗin /etc/profile.d/exploit.sh $ rm $HOME/screen.log; ln -s /etc/profile.d/exploit.sh $HOME/screen.log
- Koma zuwa zaman allo da fitar da bayanan zuwa allon da za a rubuta zuwa fayil ɗin log ɗin. $ echo -e "\ chown $ USER / tushen;"
- Da zarar tushen ainihin ya haɗu da tsarin, rubutun /etc/profile.d/exploit.sh zai gudana, wanda zai canza mai /root directory. $ ls -lhd / tushen drwxr-x- 5 tushen mai amfani 4.0K Dec 30 2020 .
- Ta misalin, zaku iya ƙirƙirar fayilolin sanyi sudo ko ƙara umarni zuwa ƙarshen rubutun tsarin.
Ƙananan lahani a cikin allo:
- CVE-2025-46802 - Satar na'urar TTY a cikin zaman masu amfani da yawa (mai amfani zai iya cimma izinin crw-rw-rw don na'urar /dev/pts/1). Matsalar tana bayyana a allon 4.x da 5.x rassan.
- CVE-2025-46803 - Saita tsoffin izini zuwa 0622 akan na'urar PTY, kyale kowane mai amfani ya rubuta. Matsalar tana bayyana ne kawai a cikin reshen allo 5.0.
- CVE-2025-46804 - yoyon bayanai game da kasancewar fayiloli da kundayen adireshi a cikin rufaffiyar kundayen adireshi (lokacin da aka ƙayyade kundin adireshi ta amfani da madaidaicin yanayin SCREENDIR, mai amfani yana samar da rubutun kuskure daban-daban waɗanda ke ba mutum damar sanin kasancewar fayiloli da kundayen adireshi tare da wannan sunan). Matsalar tana bayyana a allon 4.x da 5.x rassan.
- CVE-2025-46805 - Yanayin tsere yana kasancewa lokacin aika siginar SIGCONT da SIGHUP, yana haifar da ƙin sabis. Matsalar tana bayyana a allon 4.x da 5.x rassan.
- Yin amfani da aikin strncpy kuskure (maye gurbin strcpy tare da strncpy ba tare da la'akari da bambancin sarrafa haruffan banza "\0") ba, yana haifar da haɗari yayin aiwatar da umarni na musamman. Matsalar tana bayyana ne kawai a cikin reshen allo 5.0.
An gano raunin da ke tattare da hakan ne a lokacin wani bincike da aka gudanar kan lambar sirri ta GNU wadda ƙungiyar tsaro ta rarraba SUSE ta gudanar. LinuxAn sanar da masu haɓaka allon nuni game da raunin a ranar 7 ga Fabrairu, amma ba su iya shirya faci don duk raunin a cikin kwanaki 90 da aka ware ba, wanda hakan ya tilasta wa ma'aikatan SUSE su ƙirƙiri wasu faci da kansu. A cewar masu binciken da suka gudanar da binciken, masu kula da allon GNU na yanzu ba su da isasshen masaniya game da tushen lambar aikin kuma ba su iya fahimtar matsalolin tsaro da aka gano gaba ɗaya.
source: budenet.ru
