Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Friday January 11 2019, @12:54PM   Printer-friendly
from the deep-seated-insecurities-and-paranoia dept.

From TFA (the friendly article) at https://www.openwall.com/lists/oss-security/2019/01/09/3:

We discovered three vulnerabilities in systemd-journald (https://en.wikipedia.org/wiki/Systemd):

- CVE-2018-16864 and CVE-2018-16865, two memory corruptions     (attacker-controlled alloca()s);

- CVE-2018-16866, an information leak (an out-of-bounds read).

CVE-2018-16864 was introduced in April 2013 (systemd v203) and became exploitable in February 2016 (systemd v230). We developed a proof of concept for CVE-2018-16864 that gains eip control on i386.

CVE-2018-16865 was introduced in December 2011 (systemd v38) and became exploitable in April 2013 (systemd v201). CVE-2018-16866 was introduced in June 2015 (systemd v221) and was inadvertently fixed in August 2018.

We developed an exploit for CVE-2018-16865 and CVE-2018-16866 that obtains a local root shell in 10 minutes on i386 and 70 minutes on amd64, on average. We will publish our exploit in the near future.

To the best of our knowledge, all systemd-based Linux distributions are vulnerable, but SUSE Linux Enterprise 15, openSUSE Leap 15.0, and Fedora 28 and 29 are not exploitable because their user space is compiled with GCC's -fstack-clash-protection.

This confirms https://grsecurity.net/an_ancient_kernel_hole_is_not_closed.php: "It should be clear that kernel-only attempts to solve [the Stack Clash] will necessarily always be incomplete, as the real issue lies in the lack of stack probing."

The article goes on with more detailed information on exploits.

<sarcasm>It's a good thing that systemd does not affect very many systems and no systems running anything important.</sarcasm>


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Insightful) by rleigh on Friday January 11 2019, @02:24PM (1 child)

    by rleigh (4887) on Friday January 11 2019, @02:24PM (#785031) Homepage

    The chickens are coming home to roost, as we knew they would.

    "Bugs far more severe have been found" is to completely ignore that bad design, bad coding practices and a huge amount of hubris and egotism went into this software. If the design was solid, and good coding practices had been followed, bugs like this simply couldn't happen. Because programmers with a bit more self-awareness and humility would not have used alloca() to perform a needless micro-optimisation at the expense of system security. Processing strings in C using the most dangerously insecure strategy possible isn't even a bug, it's crass stupidity. As is not having a maximum message size in the first page.

    Some bugs are the result of genuine mistakes or extremely subtle side-effects. None of these problems fall into these categories. They are the result of programmers who think they are so great that they can't make mistakes, and that the rules don't apply to them.

    If I had to write functions like this, my choice would be to implement it using C++ with extern "C" and a static libstdc++. This would provide a C interface to string operations using std::string and std::string_view. Safer, faster and more maintainable than the C string equivalents, and from the point of view of the caller, totally transparent. If I wrote my code like what's in journald, I'd be fired for gross incompetence. It wouldn't even make it pass cursory code review. Where's the oversight for the systemd developers?

    Starting Score:    1  point
    Moderation   +3  
       Flamebait=1, Insightful=4, Interesting=1, Overrated=1, Total=7
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 2) by bob_super on Friday January 11 2019, @06:09PM

    by bob_super (1357) on Friday January 11 2019, @06:09PM (#785153)

    I'm glad to learn from your experience that such bad code will never ever be adopted by anyone for any serious distro, and we'll never have to worry about that "systemd" thingy leaving the confines of the whackjobs' computer...

    Oh wait, it's fucking everywhere ! Tell me again how everyone in the industry is a certified moron.

    (disclaimer: I know why systemd is problematic. Make your points without being so hyperbolic that you assert nobody else has a clue)