The D in SystemD stands for Danger, Will Robinson! Defanged exploit code for security holes now out in the wild

Those who haven't already patched a trio of recent vulnerabilities in the Linux world's SystemD have an added incentive to do so: security biz Capsule8 has published exploit code for the holes.

Don't panic, though: the exploit code has been defanged so that it is defeated by basic security measures, and thus shouldn't work in the wild against typical Linux installations. However, Capsule8 or others may reveal ways to bypass those protections, so consider this a heads-up, or an insight into exploit development. Google Project Zero routinely reveals the inner magic of its security exploits, if you're into that.

Back to SystemD.

In mid-January, Qualys, another security firm, released details about three flaws affecting systemd-journald, a systemd component that handles the collection and storage of log data. Patches for the vulnerabilities – CVE-2018-16864, CVE-2018-16865, and CVE-2018-16866 – have been issued by various Linux distributions.

Exploitation of these code flaws allows an attacker to alter system memory in order to commandeer systemd-journal, which permits privilege escalation to the root account of the system running the software. In other words, malware running on a system, or rogue logged-in users, can abuse these bugs to gain administrator-level access over the whole box, which is not great in uni labs and similar environments.

Nick Gregory, research scientists at Capsule8, in a blog post this week explains that his firm developed proof-of-concept exploit code for testing and verification. As in testing whether or not computers are at risk, and verifying the patches work.

"There are some interesting aspects that were not covered by Qualys’ initial publication, such as how to communicate with the affected service to reach the vulnerable component, and how to control the computed hash value that is actually used to corrupt memory," he said.

Manipulated

The exploit script, written in Python 3, targets the 20180808.0.0 release of the ubuntu/bionic64 Vagrant image, and assumes that address space layout randomization (ASLR) is disabled. Typically, ASLR is not switched off in production systems, making this largely an academic exercise.

The script exploits CVE-2018-16865 via Linux's alloca() function, which allocates the specified number of bytes of memory space in the stack frame of the caller; it can be used to manipulate the stack pointer.

Basically, by creating a massive number of log entries and appending them to the journal, the attacker can overwrite memory and take control of the vulnerable system.

"Our general approach for exploiting this vulnerability is to initially send the right size and count of entries, so as to make the stack pointer point to libc’s BSS memory region, and then surgically overwrite the free_hook function pointer with a pointer to system," explains Gregory. "This grants us arbitrary command execution upon the freeing of memory with content we control."

One of the challenges in creating this exploit involves controlling the output of the hash function used to encode the journal entries. The PoC code has been tuned to this specific Vagrant image, meaning those values have been computed in advance.

To adapt the PoC to other Linux distributions requires hash preimaging, something that can be done with available tools thanks to the fact that the hash is not cryptographically secure. Capsule8 intends to explore this further in a follow-up post, though the company may withhold some details to avoid helping script kiddies defeat ASLR defenses.

"We are also considering providing a full ASLR bypass, but are weighing whether we are lowering the bar too much for the kiddies," Gregory added.

In a phone interview with The Register, co-founder and chief scientist Brandon Edwards said, "We provide enough information under certain conditions to exploit the the Vagrant image. There will be at least one more post, depending on how we feel about disclosing an ASLR bypass. We will be writing up how to compute the preimage required."

Edwards said PoC code was developed to verify the efficacy of Capsule8's real-time attack detection. The flaw enabling the exploit code, he said, demonstrates that alloca() is not how memory should be dynamically allocated.

"The other thing this highlights is there are some compiler flags that would have prevented this from being exploitable," he said, pointing to GCC's -fstack-clash-protection option. "Some distros compile with it out of the box, and others don't." ®