Stories
Slash Boxes
Comments

SoylentNews is people

System Down: A systemd-journald Exploit

posted by martyb on Friday January 11 2019, @12:54PM   Printer-friendly
from the deep-seated-insecurities-and-paranoia dept.

DannyB writes:

From TFA (the friendly article) at https://www.openwall.com/lists/oss-security/2019/01/09/3:

We discovered three vulnerabilities in systemd-journald (https://en.wikipedia.org/wiki/Systemd):

- CVE-2018-16864 and CVE-2018-16865, two memory corruptions     (attacker-controlled alloca()s);

- CVE-2018-16866, an information leak (an out-of-bounds read).

CVE-2018-16864 was introduced in April 2013 (systemd v203) and became exploitable in February 2016 (systemd v230). We developed a proof of concept for CVE-2018-16864 that gains eip control on i386.

CVE-2018-16865 was introduced in December 2011 (systemd v38) and became exploitable in April 2013 (systemd v201). CVE-2018-16866 was introduced in June 2015 (systemd v221) and was inadvertently fixed in August 2018.

We developed an exploit for CVE-2018-16865 and CVE-2018-16866 that obtains a local root shell in 10 minutes on i386 and 70 minutes on amd64, on average. We will publish our exploit in the near future.

To the best of our knowledge, all systemd-based Linux distributions are vulnerable, but SUSE Linux Enterprise 15, openSUSE Leap 15.0, and Fedora 28 and 29 are not exploitable because their user space is compiled with GCC's -fstack-clash-protection.

This confirms https://grsecurity.net/an_ancient_kernel_hole_is_not_closed.php: "It should be clear that kernel-only attempts to solve [the Stack Clash] will necessarily always be incomplete, as the real issue lies in the lack of stack probing."

The article goes on with more detailed information on exploits.

<sarcasm>It's a good thing that systemd does not affect very many systems and no systems running anything important.</sarcasm>

Original Submission

 
This discussion has been archived. No new comments can be posted.
System Down: A systemd-journald Exploit | Log In/Create an Account | Top | 52 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 5, Insightful) by Azuma Hazuki on Friday January 11 2019, @05:48PM (3 children)

    by Azuma Hazuki (5086) on Friday January 11 2019, @05:48PM (#785146) Journal

    ...but I TOLD YOU SO! This is the proof I've been waiting for for a couple of years now as to why systemd is cancerous. I've been on Void and Artix for a good while, Funtoo with OpenRC previously, and have been watching this entire systemd debacle with a mix of amusement (diminishing) and horror (increasing).

    This does not surprise me, and the reason it doesn't surprise me is that systemd does not have pure motives. It looks, more than anything else, like an attempt by the corporate arm of Linux development to have their own "Windows distro," complete with laying the framework for the equivalent of MSCE testing and similar "industry." It is not The Unix Way (TM), and while a lot of Linux isn't either, it at least tries, whereas systemd seems to be trying to be as deliberately Microsoft-like as possible. The whole thing smells like Windows.

    Thank fuck for OpenRC, Runit, and if it comes to this, the BSDs.

    --
    I am "that girl" your mother warned you about...
    Starting Score:    1  point
    Moderation   +3  
       Insightful=3, Total=3
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   5  

  • (Score: 0) by Anonymous Coward on Saturday January 12 2019, @01:38PM (2 children)

    by Anonymous Coward on Saturday January 12 2019, @01:38PM (#785494)

    Feel free to run old software if that floats your boat. Runit, OpenRC and SysVinit had their growing pains too.

    https://nvd.nist.gov/vuln/detail/CVE-2017-18188 [nist.gov]
    https://nvd.nist.gov/vuln/detail/CVE-1999-1327 [nist.gov]
    https://nvd.nist.gov/vuln/detail/CVE-1999-1329 [nist.gov]
    https://nvd.nist.gov/vuln/detail/CVE-2006-1319 [nist.gov]

    • (Score: 5, Informative) by digitalaudiorock on Saturday January 12 2019, @07:33PM

      by digitalaudiorock (688) on Saturday January 12 2019, @07:33PM (#785642) Journal

      Holy shit. I stopped looking at those bug links after the first one. As it turns out, that issue with OpenRC is expressly because OpenRC is currently being managed by a pro-systemd developer who's been relentlessly screwing it up in an attempt to make it more like systemd. That's why I, and many other Gentoo users, are still using OpenRC 0.17 which works great and doesn't even use opentmpfiles at all...which is the cause of that bug! Talk about self-fulfilling prophecies. That's the systemd way after all...patting yourself on the back for fixing the shit you fuck up.

      But yea..."newer" is "better"...got it...even if it means fucking Windows-like binary logging...which by the way is where all these systemd bugs are. Give...me...a...fucking...break.

    • (Score: 3, Insightful) by Azuma Hazuki on Saturday January 12 2019, @10:15PM

      by Azuma Hazuki (5086) on Saturday January 12 2019, @10:15PM (#785688) Journal

      gb2/mom's basement, Poettering...

      --
      I am "that girl" your mother warned you about...