Linux Zero Day: JournalCtl and Syslog Terminal Escape Injection

In view of the latest head-butting between Linus Torvalds (head of Linux) and Kay Sievers (head of Systemd), this looks to be related. Apparently, systemd has had a long history of ignoring bugs and forcing others to work around their quirky or sub-standard software. The fact that it doesn't strictly filter logs seems to be inline with that reputation. I would assume that in any seriously maintained software projects, such trivial vulnerabilities would be patched up (up-stream and down) as soon as it's discovered.

I recently went through the exercise of compiling the Linux kernel from source for a ARM board. Systemd was one of those components that was constantly giving problems along the way, but in all fairness, it's pretty central too. This project should be handle with double the rigor of any other project, but instead, it seems to get about half the rigor of other projects.

Though it's not alarming in practice (I wouldn't go as far as to avoid an update to something using Systemd), it should be fixed somewhere along the line, preferable within Systemd itself.

It doesn't sound too hard to fix either. A patch preventing escape characters could easily be made ad-hoc by the vendor if it must.

Well...my name is Tyler Borland (TurboBorland) and I wrote this (and all the exploit monday stuff that's getting leaked) and didn't expect Coty to leak it out, that's why I password protected it to prevent more caching.

The vulnerability itself isn't that severe considering you have to use the appropriate flags when reading the journal binary file. Some other implementations could be more interesting like remote logging software. It was just fun bringing back old bugs with new implementations.

As for injection, there's a lot of projects that use unrestricted (secure_)getenv in a default system and, for remote, there's some projects that have error messages from local network traffic that get logged.

Now, the reason gnome-terminal is more interesting is because there's lots of things you can do with the VT sets it supports. Where xterm is minimal without iconify. You can check the system's support by dumping the termcaps with tools like tic/toe/infocmp for each. The whole window title change is supported by everything and it's simple, which is why it's a good PoC, but more can be done depending on situation and the terminal's supported termcaps.

Alright guys, because this was posted here I added some new information available and posted an updated version on my blog:

turbochaos.blogspot.com/2014/08/journalctl-terminal-escape-injection.html

I have provided a python script that allows someone to inject messages directly into Journal by using the UNIX socket (srw-rw-rw-. 1 root root). By changing argv[0] we can also pretend to be another process's message as long as -o=verbose isn't on to check for full path of binary. Enjoy.

Just to clarify, I was sent the information about the vulnerability along with all the detail as a potential news story by the PR company acting for Alert Logic. There was no 'leak' as far as I was aware, it was just another in a long line of communications from PR companies and security vendors/researchers that I get on a daily basis in my job as a tech journalist specialising in IT security. The difference with this one, compared to many, being that I thought it would be of interest to the DaniWeb Linux commuunity.

Systemd is designed to become central to the systems using it. It is, however, in no way central to Linux in general. There are sysvinit, BSD init, upstart, daemontools, OpenRC, and more which can be used.

Perhaps if the quality of this software is so low it's not worth using. It's already going against the modularity and plain text logging ideals so long part of Unix culture.

There is a lot of noise about systemd's faults all over the net. I've been in a discussion on the LinkedIn Linux Experts group about this very topic. Honestly, in many regards it is a hacked design for such a system-critical component (no formal methodology, modeling, verification, etc.) and many of us are of the opinion this is going to become a serious problem instead of the solution it purports to be. If I were Linus, I would be butting heads also!