Published on February 3rd, 2019📅| 0
Researchers published the PoC exploit code for Linux SystemD bugs
Security researchers at the security firm Capsule8 have published exploit code for the vulnerabilities in Linux systemD disclosed in January.
Early this month, security firm Qualys disclosed three flaws (CVE-2018-16864, CVE-2018-16865, and CVE-2018-16866 ) in a component of systemd, a software suite that provides fundamental building blocks for a Linux operating system used in most major Linux distributions.
The flaws reside in the systemd–journald, a service of the systemd that collects and stores logging data.
Both CVE-2018-16864 and CVE-2018-16865 bugs are memory corruption vulnerabilities, while the CVE-2018-16866 is an out of bounds issue that can lead to an information leak. Qualys experts were working on an exploit for another Linux vulnerability when noticed that passing several megabytes of command-line arguments to a program that calls syslog(), they were able to crash the systemd–journald.
The experts developed a PoC exploit for both CVE-2018-16865 and CVE-2018-16866 that is able to obtain a local root shell in 10 minutes on i386 and 70 minutes on amd64, on average.
In an attack scenario against a Linux box, the CVE-2018-16864 can be exploited by a malicious code or an ill-intentioned logged-in user, to crash and hijack the systemd–journald system service, and elevated access previleges. The chaining of the CVE-2018-16865 and CVE-2018-16866 could allow a local attacker to crash or hijack the root-privileged journal service.
If you haven’t already applied the patches your system, now you have a good reason to do it because experts at security firm Capsule8 have published exploit code for the flaws.
The exploit code was rendered harmless and shouldn’t work for massive attacks in the wild. However, security experts may devise ways to bypass security protections of Linux installs.
Nick Gregory, security research at Capsule8, published a blog post that revealed that his company has developed a proof-of-concept exploit for the above vulnerabilities.
“As Qualys did not provide exploit code, we developed a proof-of-concept exploit for our own testing and verification.” reads the post published by
“There are some interesting aspects that were not covered by Qualys’ initial publication, such as how to communicate with the affected service to reach the vulnerable component, and how to control the computed hash value that is actually used to corrupt memory,”
The Python exploit script written by the expert targets the 20180808.0.0 release of the ubuntu/bionic64 Vagrant image when the address space layout randomization (ASLR) is disabled (an uncommon condition for production environment).
The script triggers the CVE-2018-16865 flaw via the alloca() function, the expert uses it to allocate a specified number of bytes of memory space in the stack frame of the caller and manipulate the stack pointer.
“Our general approach for exploiting this vulnerability is to initially send the right size and count of entries, so as to make the stack pointer point to libc’s BSS memory region , and then surgically overwrite the free_hook function pointer with a pointer to system.” continues the researcher.
“This grants us arbitrary command execution upon the freeing of memory with content we control.”
The exploitation of the flaws requires controlling all 64 bits of output that the hash function produces, but it is very hard to pre-image that hash.
Even if there are some tools to calculate exact preimages in a few seconds, but for the PoC the experts used a pre-computed hash for the Vagrant image.
To use the same PoC exploit code with other Linux distros it is necessary to calculate the hash, experts at Capsulate8 will details possibility in a follow-up post.
“As the first in our series on this topic, the objective of this post is to provide the reader with the ability to write a proof-of-concept capable of exploiting the service with Address Space Layout Randomization (ASLR) disabled. In the interest of not posting an unreadably-long blog, and also not handing sharp objects to script-kiddies before the community has had chance to patch, we are saving some elements for discussion in future posts in this series, including details on how to control the key computed hash value.” concludes the expert.
“We are also considering providing a full ASLR bypass, but are weighing whether we are lowering the bar too much for the kiddies,”