Allele Security Alert
ASA-2019-00010
Identifier(s)
ASA-2019-00010, CVE-2018-16865
Title
Stack overflow when receiving many journald entries
Vendor(s)
The systemd project
Product(s)
systemd
Affected version(s)
systemd v38 up to v240
Fixed version(s)
systemd released with the following commits:
journald: set a limit on the number of fields (1k)
https://github.com/systemd/systemd/commit/052c57f132f04a3cf4148f87561618da1a6908b4
journal-remote: set a limit on the number of fields in a message
https://github.com/systemd/systemd/commit/ef4d6abe7c7fab6cbff975b32e76b09feee56074
Proof of concept
Yes
Description
An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when many entries are sent to the journal socket. A local attacker, or a remote one if systemd-journal-remote is used, may use this flaw to crash systemd-journald or execute code with journald privileges.
Technical details
File: v238/src/journal/journal-file.c --- 1963 int journal_file_append_entry(JournalFile *f, const dual_timestamp *ts, const struct iovec iovec[], unsigned n_iovec, uint64_t *seqnum, Object **ret, uint64_t *offset) { .... 1986 items = alloca(sizeof(EntryItem) * MAX(1u, n_iovec)); 1987 1988 for (i = 0; i < n_iovec; i++) { 1989 uint64_t p; 1990 Object *o; 1991 1992 r = journal_file_append_data(f, iovec[i].iov_base, iovec[i].iov_len, &o, &p); 1993 if (r < 0) 1994 return r; 1995 1996 xor_hash ^= le64toh(o->data.hash); 1997 items[i].object_offset = htole64(p); 1998 items[i].hash = o->data.hash; 1999 } ---
This vulnerability was introduced in systemd v38:
commit cf244689e9d1ab50082c9ddd0f3c4d1eb982badc Date: Thu Dec 29 15:00:57 2011 +0100 ... - items = new(EntryItem, n_iovec); - if (!items) - return -ENOMEM; + items = alloca(sizeof(EntryItem) * n_iovec);
and became exploitable in systemd v201:
commit c4aa09b06f835c91cea9e021df4c3605cff2318d Date: Mon Apr 8 20:32:03 2013 +0200 ... -#define ENTRY_SIZE_MAX (1024*1024*64) -#define DATA_SIZE_MAX (1024*1024*64) ... +#define ENTRY_SIZE_MAX (1024*1024*768) +#define DATA_SIZE_MAX (1024*1024*768)
Credits
Qualys Research Labs
Reference(s)
System Down: A systemd-journald exploit
https://seclists.org/oss-sec/2019/q1/54
1653861 (CVE-2018-16865) – CVE-2018-16865 systemd: stack overflow when receiving many journald entries
https://bugzilla.redhat.com/show_bug.cgi?id=1653861
journald: set a limit on the number of fields (1k)
https://github.com/systemd/systemd/commit/052c57f132f04a3cf4148f87561618da1a6908b4
journal-remote: set a limit on the number of fields in a message
https://github.com/systemd/systemd/commit/ef4d6abe7c7fab6cbff975b32e76b09feee56074
Exploiting systemd-journald Part 1
https://capsule8.com/blog/exploiting-systemd-journald-part-1/
system-down.tar.gz
https://www.qualys.com/2019/05/09/system-down/system-down.tar.gz
CVE-2018-16865
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16865
CVE-2018-16865
https://nvd.nist.gov/vuln/detail/CVE-2018-16865
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: September 3, 2019