systemd touch_file() File Permissions Error Lets Local Users Obtain Root Privileges
SecurityTracker Alert ID: 1037686|
SecurityTracker URL: http://securitytracker.com/id/1037686
(Links to External Site)
Date: Jan 24 2017
Modification of system information, Root access via local system|
A vulnerability was reported in systemd. A local user can obtain root privileges on the target system.|
A local user can invoke systemd timer functions to create world writable set user id (suid) files with root ownership to gain root privileges on the target system.
The vulnerability resides in the touch_file() function in '/src/basic/fs-util.c'.
Sebastian Krahmer of the SuSE Security Team reported this vulnerability.
A local user can obtain root privileges on the target system.|
The vendor silently issued a fix (v229).|
Vendor URL: www.freedesktop.org/wiki/Software/systemd/ (Links to External Site)
Access control error|
Source Message Contents
Subject: [oss-security] Headsup: systemd v228 local root exploit (CVE-2016-10156)|
This is a heads up for a trivial systemd local root exploit, that
was silently fixed in the upstream git as:
Date: Fri Jan 29 23:36:08 2016 +0200
basic: fix touch() creating files with 07777 mode
mode_t is unsigned, so MODE_INVALID < 0 can never be true.
This fixes a possible DoS where any user could fill /run by writing to
a world-writable /run/systemd/show-status.
The analysis says that is a "possible DoS", but its a local root
exploit indeed. Mode 07777 also contains the suid bit, so files
created by touch() are world writable suids, root owned. Such
as /var/lib/systemd/timers/stamp-fstrim.timer thats found on a non-nosuid mount.
This is trivially exploited by something like:
with minimal changes, so I wont provide a PoC here.
The bug was possibly introduced via:
Date: Wed Nov 11 22:54:56 2015 +0100
util-lib: use MODE_INVALID as invalid value for mode_t everywhere
So we believe that this mostly affects v228 of systemd, but its recommended
that distributors cross-check their systemd versions for vulnerable
touch_*() functions. We requested
a CVE for this issue from MITRE by ourselfs: CVE-2016-10156
We would like to see that systemd upstream retrieves CVE's themself
for their own bugs, even if its believed that its just a local DoS.
This would make distributors life much easier when we read the git logs
to spot potential issues. The systemd git log is really huge, with
lots of commits each week ("new services as a service").
~ perl self.pl
~ firstname.lastname@example.org - SuSE Security Team