Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Re: System Down: A systemd-journald exploit

Related Vulnerabilities: CVE-2018-16865   CVE-2018-16866  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->
<a href="/fulldisclosure/"><img src="/images/fulldisclosure-logo.png" class="l-logo right" alt="fulldisclosure logo" width="80"></a>
<h2 class="m-list"><a href="/fulldisclosure/">Full Disclosure</a>
mailing list archives</h2>
<!--X-User-Header-End-->
<!--X-TopPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="25"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#21">By Date</a>
<a href="26"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="25"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#21">By Thread</a>
<a href="26"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<form class="nst-search center" action="/search/fulldisclosure">
<input class="nst-search-q" name="q" type="search" placeholder="List Archive Search">
<button class="nst-search-button" title="Search">
<img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search">
</button>
</form>

</div>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<h1 class="m-title">Re: System Down: A systemd-journald exploit</h1>
<hr>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->


<em>From</em>: Qualys Security Advisory &lt;qsa () qualys com&gt;


<em>Date</em>: Mon, 13 May 2019 07:27:45 -0700


<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<hr>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<pre style="margin: 0em;">Hi all,

Our systemd-journald exploit for CVE-2018-16865 and CVE-2018-16866 is
now available at:

<a rel="nofollow" href="https://www.qualys.com/2019/05/09/system-down/system-down.tar.gz">https://www.qualys.com/2019/05/09/system-down/system-down.tar.gz</a>

It is also attached to this email. A few notes about this exploit:

- It supports several targets by default (vulnerable versions of Debian,
  Ubuntu, Fedora, CentOS), and it should be relatively easy to add more
  targets.

- When adding a new amd64 target, use the "free_hook" method if possible
  (if located at a multiple of 16 plus 8, as explained in our advisory);
  for various reasons, the alternative "stderr_chain" method is not as
  reliable as "free_hook" and may therefore take longer to succeed.

- When adding and testing a new target, you may want to set
  "StartLimitInterval=1s" and "StartLimitBurst=10" (for example) in
  "systemd-journald.service": the exploit will detect this and
  brute-force faster.

- If the exploit dies because "No journal files were opened due to
  insufficient permissions", the "wall" method can be used instead (via
  the "-w" switch). Our exploit currently implements the wall method
  "ssh 127.0.0.1", but alternative methods can be implemented
  ("utempter" and "gnome-pty-helper", for example).

- To test the default information-leak method even if "No journal files
  were opened due to insufficient permissions", it is enough to create
  /var/log/journal/ (as explained in "man systemd-journald").

Thank you very much! With best regards,

-- 
the Qualys Security Advisory team
</pre><p><strong>Attachment:
<a href="att-21/system-down_tar.gz"><tt>system-down.tar.gz</tt></a></strong>

<em>Description:</em> </p>
<pre style="margin: 0em;">
_______________________________________________
Sent through the Full Disclosure mailing list
<a rel="nofollow" href="https://nmap.org/mailman/listinfo/fulldisclosure">https://nmap.org/mailman/listinfo/fulldisclosure</a>
Web Archives &amp; RSS: <a rel="nofollow" href="http://seclists.org/fulldisclosure/">http://seclists.org/fulldisclosure/</a></pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="25"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#21">By Date</a>
<a href="26"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="25"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#21">By Thread</a>
<a href="26"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
</div>
<h3 class="m-thread">Current thread:</h3>
<ul class="thread">
<li><strong>Re: System Down: A systemd-journald exploit</strong> <em>Qualys Security Advisory (May 13)</em>
</li></ul>


<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started