Security researcher Sebastian Krahmer has recently discovered that a previously known security flaw in the systemd project can be used for more than crashing a Linux distro but also to grant local attackers root access to the device.
The issue was first introduced in the systemd source code in November 2015 and was patched two months later, in January 2016, affecting only systemd v228, and receiving a fix with the release of v229.
From DoS to root privilege escalation
Initially, the bug was categorized as a lowly Denial-of-Service (DoS) issue that in the worst case scenario could make Linux distros crash and reboot.
After taking a second, closer look at the issue, Krahmer revealed today that he discovered a way to manipulate the same vulnerable systemd functions to escalate an attacker’s privileges to root level.
“systemd creates world writable suid files that allows attackers to dump binaries into it and execute code as root,” the researcher wrote last week on the OpenSUSE bug portal.
Systemd bug is easy to exploit, but only locally
Krahmer says that there’s proof-of-concept code laying around the web that could be very easily edited to target this flaw, now tracked as CVE-2016-10156.
While exploitation complexity is low, the only good news is that the bug can’t be exploited via a local network or the Internet, needing an attacker to have already a foothold on the machine he wants to take over.
The systemd project is currently at version 232. As we know Linux users and hardware vendors, it’s quite possible that there are quite a few machines left around running v288.
Systemd is a core Linux utility that manages application processes on Linux distros. The vast majority of today’s major Linux distributions use systemd as their default init system, including most Linux versions deployed on IoT devices.