Early this month, security firm Qualys disclosed three flaws (CVE-2018-16864, CVE-2018-16865, and CVE-2018-16866 ) in a component of
The flaws reside in the systemd–journald, a service of the systemd that collects and stores logging data.
Both CVE-2018-16864 and CVE-2018-16865 bugs are memory corruption vulnerabilities, while the CVE-2018-16866 is an out of bounds issue that can lead to an information leak. Qualys experts were working on an exploit for another Linux vulnerability when noticed that passing several megabytes of command-line arguments to a program that calls
The experts developed a PoC exploit for both CVE-2018-16865 and CVE-2018-16866 that is able to obtain a local root shell in 10 minutes on i386 and 70 minutes on amd64, on average.
In an attack scenario against a Linux box, the CVE-2018-16864 can be exploited by a malicious code or an ill-intentioned logged-in user, to crash and hijack the systemd–journald system service, and elevated access previleges. The chaining of the CVE-2018-16865 and CVE-2018-16866 could allow a local attacker to crash or hijack the root-privileged journal service.
The exploit code was rendered harmless and shouldn’t work for massive attacks in the wild. However, security experts may devise ways to bypass security protections of Linux installs.
Nick Gregory, security research at Capsule8, published a blog post that revealed that his company has developed a proof-of-concept exploit for the above vulnerabilities.
“As Qualys did not provide exploit code, we developed a proof-of-concept exploit for our own testing and verification.” reads the post published by
“There are some interesting aspects that were not covered by Qualys’ initial publication, such as how to communicate with the affected service to reach the vulnerable component, and how to control the computed hash value that is actually used to corrupt memory,”
The Python exploit script written by the expert targets the 20180808.0.0 release of the
The script triggers the CVE-2018-16865 flaw via the
“Our general approach for exploiting this vulnerability is to initially send the right size and count of entries, so as to make the stack pointer point to
“This grants us arbitrary command execution upon the freeing of memory with content we control.”
The exploitation of the flaws requires controlling all 64 bits of output that the hash function produces, but it is very hard to pre-image that hash.
Even if there are some tools to calculate exact preimages in a few seconds, but for the PoC the experts used a pre-computed hash for the Vagrant image.
To use the same PoC exploit code with other Linux distros it is necessary to calculate the hash, experts at Capsulate8 will details possibility in a follow-up post.
“As the first in our series on this topic, the objective of this post is to provide the reader with the ability to write a proof-of-concept capable of exploiting the service with Address Space Layout Randomization (ASLR) disabled. In the interest of not posting an
“We are also considering providing a full ASLR bypass, but are weighing whether we are lowering the bar too much for the kiddies,”
(SecurityAffairs – Linux, systemd