Skip to Content [alt-c]

Andrew Ayer


You are here: Andrew's Site

From the blog

Thoughts on the Systemd Root Exploit

January 24, 2017

Sebastian Krahmer of the SUSE Security Team has discovered a local root exploit in systemd v228. A local user on a system running systemd v228 can escalate to root privileges. That's bad.

At a high level, the exploit is trivial:

  1. Systemd uses -1 to represent an invalid mode_t (filesystem permissions) value.
  2. Systemd was accidentally passing this value to open when creating a new file, resulting in a file with all permission bits set: that is, world-writable, world-executable, and setuid-root.
  3. The attacker writes an arbitrary program to this file, which succeeds because it's world-writable.
  4. The attacker executes this file, which ...


Photo of the Day

Photo Thumbnail of Cunard Logo at Bow

Cunard Logo at Bow

From the album Queen Mary 2 in San Francisco.