Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 28 Sep 2016 12:20:02 -0700
From: Andrew Ayer <agwa@...rewayer.name>
To: oss-security@...ts.openwall.com
Subject: CVE Request: systemd v209+: local denial-of-service attack

systemd[1] fails an assertion in manager_invoke_notify_message[2] when
a zero-length message is received over its notification socket.
After failing the assertion, PID 1 hangs in the pause system call.
It is no longer possible to start and stop daemons or cleanly reboot
the system. Inetd-style services managed by systemd no longer accept
connections.

Since the notification socket, /run/systemd/notify, is world-writable,
this allows a local user to perform a denial-of-service attack against
systemd.

Proof-of-concept:

        NOTIFY_SOCKET=/run/systemd/notify systemd-notify ""

This vulnerability is present in all versions of systemd since at
least v209[3].

This has been reported to systemd.[4]

[1] https://github.com/systemd/systemd/
[2] https://github.com/systemd/systemd/blob/b8fafaf4a1cffd02389d61ed92ca7acb1b8c739c/src/core/manager.c#L1666
[3] https://github.com/systemd/systemd/commit/5ba6985b6c8ef85a8bcfeb1b65239c863436e75b#diff-ab78220e12703ee63fa1e6a2caa16bebR1325
[4] https://github.com/systemd/systemd/issues/4234

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.