Every week, Stephen Coty writes about interesting exploits that have caught his attention as chief security evangelist at Alert Logic. This last week (in a currently password protected posting) he mused about a 'JournalCtl and Syslog Terminal Escape Injection' zero day which could be of interest to the Linux gurus here on DaniWeb.
Here's the story. A new init control system called Systemd is being integrated into Linux distros, in an effort to update and overhaul SysV and upstart so as to become a more modern init system. Fedora has already jumped into Systemd, and as I understand it Ubuntu won't be far behind.
What has caught the attention of the security researchers at Alert Logic, however, is that the Systemd architecture uses a log management architecture called journal which uses journalctl to read the binary data represented in the journals. Which is where things get interesting, Coty says, as journal has the ability to read ‘unprintable’ characters.
Without the use of the right flags, messages with unprintable characters are referenced as binary blobs and Journalctl fully allows terminal escape characters to be represented (while the older syslog system filters these out) and so opens up an injection risk.
Coty tells me that if we were to inject something like echo -e “\e]2;WINDOW HIJACK\a”
then it would be possible to hijack the title bar of the tab or terminal window.
"All we need to do is be able to find daemons, locally or remote, that allows a user controlled injection to be placed into a debug log" Coty says, adding "Locally this can easily be done with CUPS as it uses unfiltered getenv everywhere and remotely this can be done with avahi packet parsing error messages."
Of course, there is a problem here which you've probably already spotted: how do you get those debug logs in order to get into the journaling system? Coty answers with Syslog as most daemons implement debugging functions, but they are written to mainly integrate with Syslog. "Until we see more journal adoption, we need syslog to still be on the system to pass the debug messages to the journal" Coty insists as when both are in play then journalctl can be used to inject. Coty advises that as the injection capability relies on the terminal emulator being used, currently Gnome-terminal is the easiest to use to inject arbitrary command execution, and xterm the most secure.
So, what do the DaniWeb Linux gurus make of all this?