Date: Tue, 24 Jan 2017 09:55:01 +0100 From: Sebastian Krahmer <krahmer@...e.com> To: oss-security@...ts.openwall.com Subject: Headsup: systemd v228 local root exploit (CVE-2016-10156) Hi This is a heads up for a trivial systemd local root exploit, that was silently fixed in the upstream git as: commit 06eeacb6fe029804f296b065b3ce91e796e1cd0e Author: .... Date: Fri Jan 29 23:36:08 2016 +0200 basic: fix touch() creating files with 07777 mode mode_t is unsigned, so MODE_INVALID < 0 can never be true. This fixes a possible DoS where any user could fill /run by writing to a world-writable /run/systemd/show-status. The analysis says that is a "possible DoS", but its a local root exploit indeed. Mode 07777 also contains the suid bit, so files created by touch() are world writable suids, root owned. Such as /var/lib/systemd/timers/stamp-fstrim.timer thats found on a non-nosuid mount. This is trivially exploited by something like: http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/CreateSetgidBinary.c with minimal changes, so I wont provide a PoC here. The bug was possibly introduced via: commit ee735086f8670be1591fa9593e80dd60163a7a2f Author: ... Date: Wed Nov 11 22:54:56 2015 +0100 util-lib: use MODE_INVALID as invalid value for mode_t everywhere So we believe that this mostly affects v228 of systemd, but its recommended that distributors cross-check their systemd versions for vulnerable touch_*() functions. We requested a CVE for this issue from MITRE by ourselfs: CVE-2016-10156 We would like to see that systemd upstream retrieves CVE's themself for their own bugs, even if its believed that its just a local DoS. This would make distributors life much easier when we read the git logs to spot potential issues. The systemd git log is really huge, with lots of commits each week ("new services as a service"). Sebastian -- ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer@...e.com - SuSE Security Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ