ASA-2019-00010 – systemd: Stack overflow when receiving many journald entries

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00010

Identifier(s)

ASA-2019-00010, CVE-2018-16865

Title

Stack overflow when receiving many journald entries

Vendor(s)

The systemd project

Product(s)

systemd

Affected version(s)

systemd v38 up to v240

Fixed version(s)

systemd released with the following commits:

journald: set a limit on the number of fields (1k)
https://github.com/systemd/systemd/commit/052c57f132f04a3cf4148f87561618da1a6908b4

journal-remote: set a limit on the number of fields in a message
https://github.com/systemd/systemd/commit/ef4d6abe7c7fab6cbff975b32e76b09feee56074

Proof of concept

Yes

Description

An allocation of memory without limits, that could result in the stack clashing with another memory region, was discovered in systemd-journald when many entries are sent to the journal socket. A local attacker, or a remote one if systemd-journal-remote is used, may use this flaw to crash systemd-journald or execute code with journald privileges.

Technical details

File: v238/src/journal/journal-file.c
---
1963 int journal_file_append_entry(JournalFile *f, const dual_timestamp *ts, const struct iovec iovec[], unsigned 
n_iovec, uint64_t *seqnum, Object **ret, uint64_t *offset) {
....
1986 items = alloca(sizeof(EntryItem) * MAX(1u, n_iovec));
1987
1988 for (i = 0; i < n_iovec; i++) {
1989 uint64_t p;
1990 Object *o;
1991
1992 r = journal_file_append_data(f, iovec[i].iov_base, iovec[i].iov_len, &o, &p);
1993 if (r < 0)
1994 return r;
1995
1996 xor_hash ^= le64toh(o->data.hash);
1997 items[i].object_offset = htole64(p);
1998 items[i].hash = o->data.hash;
1999 }
---

This vulnerability was introduced in systemd v38:

commit cf244689e9d1ab50082c9ddd0f3c4d1eb982badc
Date: Thu Dec 29 15:00:57 2011 +0100
...
- items = new(EntryItem, n_iovec);
- if (!items)
- return -ENOMEM;
+ items = alloca(sizeof(EntryItem) * n_iovec);

and became exploitable in systemd v201:

commit c4aa09b06f835c91cea9e021df4c3605cff2318d
Date: Mon Apr 8 20:32:03 2013 +0200
...
-#define ENTRY_SIZE_MAX (1024*1024*64)
-#define DATA_SIZE_MAX (1024*1024*64)
...
+#define ENTRY_SIZE_MAX (1024*1024*768)
+#define DATA_SIZE_MAX (1024*1024*768)

Credits

Qualys Research Labs

Reference(s)

System Down: A systemd-journald exploit
https://seclists.org/oss-sec/2019/q1/54

1653861 (CVE-2018-16865) – CVE-2018-16865 systemd: stack overflow when receiving many journald entries
https://bugzilla.redhat.com/show_bug.cgi?id=1653861

journald: set a limit on the number of fields (1k)
https://github.com/systemd/systemd/commit/052c57f132f04a3cf4148f87561618da1a6908b4

journal-remote: set a limit on the number of fields in a message
https://github.com/systemd/systemd/commit/ef4d6abe7c7fab6cbff975b32e76b09feee56074

Exploiting systemd-journald Part 1
https://capsule8.com/blog/exploiting-systemd-journald-part-1/

system-down.tar.gz
https://www.qualys.com/2019/05/09/system-down/system-down.tar.gz

CVE-2018-16865
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16865

CVE-2018-16865
https://nvd.nist.gov/vuln/detail/CVE-2018-16865

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: September 3, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.