Re: System Down: A systemd-journald exploit

From: Qualys Security Advisory <qsa@qualys.com>
To: bugtraq@securityfocus.com
Cc:
Subject: Re: System Down: A systemd-journald exploit
Date:

Attachments:
system-down.tar.gz

Hi all,

Our systemd-journald exploit for CVE-2018-16865 and CVE-2018-16866 is
now available at:

https://www.qualys.com/2019/05/09/system-down/system-down.tar.gz

It is also attached to this email. A few notes about this exploit:

- It supports several targets by default (vulnerable versions of Debian,
  Ubuntu, Fedora, CentOS), and it should be relatively easy to add more
  targets.

- When adding a new amd64 target, use the "free_hook" method if possible
  (if located at a multiple of 16 plus 8, as explained in our advisory);
  for various reasons, the alternative "stderr_chain" method is not as
  reliable as "free_hook" and may therefore take longer to succeed.

- When adding and testing a new target, you may want to set
  "StartLimitInterval=1s" and "StartLimitBurst=10" (for example) in
  "systemd-journald.service": the exploit will detect this and
  brute-force faster.

- If the exploit dies because "No journal files were opened due to
  insufficient permissions", the "wall" method can be used instead (via
  the "-w" switch). Our exploit currently implements the wall method
  "ssh 127.0.0.1", but alternative methods can be implemented
  ("utempter" and "gnome-pty-helper", for example).

- To test the default information-leak method even if "No journal files
  were opened due to insufficient permissions", it is enough to create
  /var/log/journal/ (as explained in "man systemd-journald").

Thank you very much! With best regards,

-- 
the Qualys Security Advisory team




Copyright © 1995-2019 LinuxRocket.net. All rights reserved.