Hi all, Our systemd-journald exploit for CVE-2018-16865 and CVE-2018-16866 is now available at: https://www.qualys.com/2019/05/09/system-down/system-down.tar.gz It is also attached to this email. A few notes about this exploit: - It supports several targets by default (vulnerable versions of Debian, Ubuntu, Fedora, CentOS), and it should be relatively easy to add more targets. - When adding a new amd64 target, use the "free_hook" method if possible (if located at a multiple of 16 plus 8, as explained in our advisory); for various reasons, the alternative "stderr_chain" method is not as reliable as "free_hook" and may therefore take longer to succeed. - When adding and testing a new target, you may want to set "StartLimitInterval=1s" and "StartLimitBurst=10" (for example) in "systemd-journald.service": the exploit will detect this and brute-force faster. - If the exploit dies because "No journal files were opened due to insufficient permissions", the "wall" method can be used instead (via the "-w" switch). Our exploit currently implements the wall method "ssh 127.0.0.1", but alternative methods can be implemented ("utempter" and "gnome-pty-helper", for example). - To test the default information-leak method even if "No journal files were opened due to insufficient permissions", it is enough to create /var/log/journal/ (as explained in "man systemd-journald"). Thank you very much! With best regards, -- the Qualys Security Advisory team
Attachment:
system-down.tar.gz
Description: application/gzip
