<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: System Down: A systemd-journald exploit
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Qualys Security Advisory <qsa () qualys com>
Date: Fri, 10 May 2019 03:42:42 -0700
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Hi all,
Our systemd-journald exploit for CVE-2018-16865 and CVE-2018-16866 is
now available at:
https://www.qualys.com/2019/05/09/system-down/system-down.tar.gz
It is also attached to this email. A few notes about this exploit:
- It supports several targets by default (vulnerable versions of Debian,
Ubuntu, Fedora, CentOS), and it should be relatively easy to add more
targets.
- When adding a new amd64 target, use the "free_hook" method if possible
(if located at a multiple of 16 plus 8, as explained in our advisory);
for various reasons, the alternative "stderr_chain" method is not as
reliable as "free_hook" and may therefore take longer to succeed.
- When adding and testing a new target, you may want to set
"StartLimitInterval=1s" and "StartLimitBurst=10" (for example) in
"systemd-journald.service": the exploit will detect this and
brute-force faster.
- If the exploit dies because "No journal files were opened due to
insufficient permissions", the "wall" method can be used instead (via
the "-w" switch). Our exploit currently implements the wall method
"ssh 127.0.0.1", but alternative methods can be implemented
("utempter" and "gnome-pty-helper", for example).
- To test the default information-leak method even if "No journal files
were opened due to insufficient permissions", it is enough to create
/var/log/journal/ (as explained in "man systemd-journald").
Thank you very much! With best regards,
--
the Qualys Security Advisory team
Attachment:
system-down.tar.gz
Description:
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
Re: System Down: A systemd-journald exploit Qualys Security Advisory (May 10)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->