Three vulnerabilities have been identified that allow an unprivileged attacker to elevate their privileges on the system and run the code as root in systemd-journald which is responsible for logging into systemd.
Vulnerabilities manifest in all distributions that use systemd, With the exception of SUSE Linux Enterprise 15, openSUSE Leap 15.0, and Fedora 28/29, in which the systemd components are assembled with the inclusion of "-fstack-clash-protection".
What are vulnerabilities?
Vulnerabilities already registered in CVE-2018-16864 y CVE-2018-16865 allow you to create conditions to write data outside the limits of the allocated memory block, while vulnerability CVE-2018-16866 allows you to read the content of the external memory areas.
Researchers have prepared a working prototype of the exploit which, using the vulnerabilities CVE-2018-16865 and CVE-2018-16866.
To what is detailed about these vulnerabilities the researchers They tell us that this allows to obtain root privileges after approximately 10 minutes of attack on systems with i386 architecture and 70 minutes on amd64 systems.
This exploit has been tested on Debian 9.5.
They also explain that:
When an exploit is written, Stack Сlash technique is used, the essence of which is to create conditions when the contents of the overflowed heap are in the stack area or, conversely, the stack can rewrite the heap area.
Which manifests itself in situations where the stack and heap are placed adjacent to each other (the stack area immediately follows the memory allocated for the heap).
The proposed exploit confirms the assumption that protection against Stack Сlash class attacks at the Linux kernel level is not sufficient.
At the same time, the attack is successfully blocked by rebuilding GCC with the "-fstack-clash-protection" option enabled.
About vulnerabilities
Vulnerability CVE-2018-16864 was discovered after analyzing the situation where transferring applications that save data to the log through a call to syslog (), a large number of command line arguments (several megabytes) leads to the crash of the systemd-journald process.
The analysis showed that by manipulating a string with command line arguments, a controlled stack queue can be placed at the beginning of the stack.
But for a successful attack, it is necessary to bypass the protection technique of the stack protection page used in the kernel., whose essence is in the substitution of the memory pages of limits. to raise an exception (page fault).
To bypass this protection in parallel systemd-journald starts in “race condition”, Allowing time to capture control process collapsing due to page memory entry, read-only.
In the process of studying the first vulnerability, two more problems arose.
The second vulnerability CVE-2018-16865 allows you to create Stack Сlash overlay conditions similar by writing a very large message to the run / systemd / journal / socket.
The third vulnerability CVE-2018-16866 manifests if you send a syslog message with the last ":" character.
Due to an error in string parsing, the termination string '\ 0' after it will be discarded and the record will contain a buffer portion outside of '\ 0', allowing you to find out the addresses of the stack and the mmap.
- The CVE-2018-16864 vulnerability has been apparent since April 2013 (appeared in systemd 203), but is suitable for operation only after the change to systemd 230 in February 2016.
- The CVE-2018-16865 vulnerability has been evident since December 2011 (systemd 38) and is available for operation as of April 2013 (systemd 201).
- The CVE-2018-16864 and CVE-2018-16865 issues were fixed a few hours ago in the master branch of systemd.
The CVE-2018-16866 vulnerability appeared in June 2015 (systemd 221) and was fixed in August 2018 (not showing in systemd 240).
The release of a working exploit has been postponed until the release of patches by distributions.
Currently, the distributions of vulnerabilities are not yet patched are the most popular such as Debian, Ubuntu, RHEL, Fedora, SUSE, as well as their derivatives.
systemd sucks!
init freedom… yeah !!!!