#33036 – systemd v228 local root exploit (CVE-2016-10156)

Bug 33036 - systemd v228 local root exploit (CVE-2016-10156)

Summary: systemd v228 local root exploit (CVE-2016-10156)

Status:	CLOSED NOTABUG

Alias:	None

Product:	Branch p8
Classification:	Distributions
Component:	systemd (show other bugs)
Version:	не указана
Hardware:	all Linux

Importance:	P3 normal
Assignee:	Andrey Cherepanov
QA Contact:	qa-p8@altlinux.org

URL:	http://seclists.org/oss-sec/2017/q1/175
Keywords:

Depends on:
Blocks:

Reported:	2017-01-24 12:37 MSK by Mikhail Kasimov
Modified:	2017-01-24 17:03 MSK (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mikhail Kasimov 2017-01-24 12:37:23 MSK

===============================================================================
From: Sebastian Krahmer <krahmer () suse com>
Date: Tue, 24 Jan 2017 09:55:01 +0100

Hi

This is a heads up for a trivial systemd local root exploit, that
was silently fixed in the upstream git as:

commit 06eeacb6fe029804f296b065b3ce91e796e1cd0e
Author: ....
Date:   Fri Jan 29 23:36:08 2016 +0200

    basic: fix touch() creating files with 07777 mode

    mode_t is unsigned, so MODE_INVALID < 0 can never be true.

    This fixes a possible DoS where any user could fill /run by writing to
    a world-writable /run/systemd/show-status.

The analysis says that is a "possible DoS", but its a local root
exploit indeed. Mode 07777 also contains the suid bit, so files
created by touch() are world writable suids, root owned. Such
as /var/lib/systemd/timers/stamp-fstrim.timer thats found on a non-nosuid mount.

This is trivially exploited by something like:

http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/CreateSetgidBinary.c

with minimal changes, so I wont provide a PoC here.

The bug was possibly introduced via:

commit ee735086f8670be1591fa9593e80dd60163a7a2f
Author: ...
Date:   Wed Nov 11 22:54:56 2015 +0100

    util-lib: use MODE_INVALID as invalid value for mode_t everywhere

So we believe that this mostly affects v228 of systemd, but its recommended
that distributors cross-check their systemd versions for vulnerable
touch_*() functions. We requested
a CVE for this issue from MITRE by ourselfs: CVE-2016-10156

We would like to see that systemd upstream retrieves CVE's themself
for their own bugs, even if its believed that its just a local DoS.
This would make distributors life much easier when we read the git logs
to spot potential issues. The systemd git log is really huge, with
lots of commits each week ("new services as a service").

Sebastian
===============================================================================

Фраза "So we believe that this mostly affects v228 of systemd, but its recommended that distributors cross-check their systemd versions for vulnerable
touch_*() functions." - является поводом для перепроверки актуальности проблемы на используемых ветках ALT Linux.

Comment 1 Andrey Cherepanov 2017-01-24 12:55:40 MSK

В p8 версия systemd 230: https://packages.altlinux.org/en/p8/srpms/systemd/changelog,
которая уже содержит указанный коммит годичной давности.

Comment 2 Michael Shigorin 2017-01-24 17:03:35 MSK

commit ee735086f8670be1591fa9593e80dd60163a7a2f
Author: Lennart Poettering <lennart@poettering.net>
Date:   Wed Nov 11 22:54:56 2015 +0100