The D in SystemD stands for Danger, Will Robinson! Defanged exploit code for security holes now out in the wild

Capsule8 demos takeover technique to help sysadmins check for vulnerabilities

Those who haven't already patched a trio of recent vulnerabilities in the Linux world's SystemD have an added incentive to do so: security biz Capsule8 has published exploit code for the holes.

Don't panic, though: the exploit code has been defanged so that it is defeated by basic security measures, and thus shouldn't work in the wild against typical Linux installations. However, Capsule8 or others may reveal ways to bypass those protections, so consider this a heads-up, or an insight into exploit development. Google Project Zero routinely reveals the inner magic of its security exploits, if you're into that.

Back to SystemD.

In mid-January, Qualys, another security firm, released details about three flaws affecting systemd-journald, a systemd component that handles the collection and storage of log data. Patches for the vulnerabilities – CVE-2018-16864, CVE-2018-16865, and CVE-2018-16866 – have been issued by various Linux distributions.

Exploitation of these code flaws allows an attacker to alter system memory in order to commandeer systemd-journal, which permits privilege escalation to the root account of the system running the software. In other words, malware running on a system, or rogue logged-in users, can abuse these bugs to gain administrator-level access over the whole box, which is not great in uni labs and similar environments.

Nick Gregory, research scientists at Capsule8, in a blog post this week explains that his firm developed proof-of-concept exploit code for testing and verification. As in testing whether or not computers are at risk, and verifying the patches work.

"There are some interesting aspects that were not covered by Qualys’ initial publication, such as how to communicate with the affected service to reach the vulnerable component, and how to control the computed hash value that is actually used to corrupt memory," he said.


The exploit script, written in Python 3, targets the 20180808.0.0 release of the ubuntu/bionic64 Vagrant image, and assumes that address space layout randomization (ASLR) is disabled. Typically, ASLR is not switched off in production systems, making this largely an academic exercise.

The script exploits CVE-2018-16865 via Linux's alloca() function, which allocates the specified number of bytes of memory space in the stack frame of the caller; it can be used to manipulate the stack pointer.

Basically, by creating a massive number of log entries and appending them to the journal, the attacker can overwrite memory and take control of the vulnerable system.

Sad penguin photo via Shutterstock

The D in Systemd stands for 'Dammmmit!' A nasty DHCPv6 packet can pwn a vulnerable Linux box


"Our general approach for exploiting this vulnerability is to initially send the right size and count of entries, so as to make the stack pointer point to libc’s BSS memory region, and then surgically overwrite the free_hook function pointer with a pointer to system," explains Gregory. "This grants us arbitrary command execution upon the freeing of memory with content we control."

One of the challenges in creating this exploit involves controlling the output of the hash function used to encode the journal entries. The PoC code has been tuned to this specific Vagrant image, meaning those values have been computed in advance.

To adapt the PoC to other Linux distributions requires hash preimaging, something that can be done with available tools thanks to the fact that the hash is not cryptographically secure. Capsule8 intends to explore this further in a follow-up post, though the company may withhold some details to avoid helping script kiddies defeat ASLR defenses.

"We are also considering providing a full ASLR bypass, but are weighing whether we are lowering the bar too much for the kiddies," Gregory added.

In a phone interview with The Register, co-founder and chief scientist Brandon Edwards said, "We provide enough information under certain conditions to exploit the the Vagrant image. There will be at least one more post, depending on how we feel about disclosing an ASLR bypass. We will be writing up how to compute the preimage required."

Edwards said PoC code was developed to verify the efficacy of Capsule8's real-time attack detection. The flaw enabling the exploit code, he said, demonstrates that alloca() is not how memory should be dynamically allocated.

"The other thing this highlights is there are some compiler flags that would have prevented this from being exploitable," he said, pointing to GCC's -fstack-clash-protection option. "Some distros compile with it out of the box, and others don't." ®

Other stories you might like

  • Cheers ransomware hits VMware ESXi systems
    Now we can say extortionware has jumped the shark

    Another ransomware strain is targeting VMware ESXi servers, which have been the focus of extortionists and other miscreants in recent months.

    ESXi, a bare-metal hypervisor used by a broad range of organizations throughout the world, has become the target of such ransomware families as LockBit, Hive, and RansomEXX. The ubiquitous use of the technology, and the size of some companies that use it has made it an efficient way for crooks to infect large numbers of virtualized systems and connected devices and equipment, according to researchers with Trend Micro.

    "ESXi is widely used in enterprise settings for server virtualization," Trend Micro noted in a write-up this week. "It is therefore a popular target for ransomware attacks … Compromising ESXi servers has been a scheme used by some notorious cybercriminal groups because it is a means to swiftly spread the ransomware to many devices."

    Continue reading
  • Twitter founder Dorsey beats hasty retweet from the board
    We'll see you around the Block

    Twitter has officially entered the post-Dorsey age: its founder and two-time CEO's board term expired Wednesday, marking the first time the social media company hasn't had him around in some capacity.

    Jack Dorsey announced his resignation as Twitter chief exec in November 2021, and passed the baton to Parag Agrawal while remaining on the board. Now that board term has ended, and Dorsey has stepped down as expected. Agrawal has taken Dorsey's board seat; Salesforce co-CEO Bret Taylor has assumed the role of Twitter's board chair. 

    In his resignation announcement, Dorsey – who co-founded and is CEO of Block (formerly Square) – said having founders leading the companies they created can be severely limiting for an organization and can serve as a single point of failure. "I believe it's critical a company can stand on its own, free of its founder's influence or direction," Dorsey said. He didn't respond to a request for further comment today. 

    Continue reading
  • Snowflake stock drops as some top customers cut usage
    You might say its valuation is melting away

    IPO darling Snowflake's share price took a beating in an already bearish market for tech stocks after filing weaker than expected financial guidance amid a slowdown in orders from some of its largest customers.

    For its first quarter of fiscal 2023, ended April 30, Snowflake's revenue grew 85 percent year-on-year to $422.4 million. The company made an operating loss of $188.8 million, albeit down from $205.6 million a year ago.

    Although surpassing revenue expectations, the cloud-based data warehousing business saw its valuation tumble 16 percent in extended trading on Wednesday. Its stock price dived from $133 apiece to $117 in after-hours trading, and today is cruising back at $127. That stumble arrived amid a general tech stock sell-off some observers said was overdue.

    Continue reading

Biting the hand that feeds IT © 1998–2022