From the blog
January 24, 2017
Sebastian Krahmer of the SUSE Security Team has discovered a local root exploit in systemd v228. A local user on a system running systemd v228 can escalate to root privileges. That's bad.
At a high level, the exploit is trivial:
- Systemd uses -1 to represent an invalid
mode_t(filesystem permissions) value.
- Systemd was accidentally passing this value to
openwhen creating a new file, resulting in a file with all permission bits set: that is, world-writable, world-executable, and setuid-root.
- The attacker writes an arbitrary program to this file, which succeeds because it's world-writable.
- The attacker executes this file, which ...
|October 2016||Systemd is not Magic Security Dust|
|September 2016||How to Crash Systemd in One Tweet|
|February 2016||Domain Validation Vulnerability in Symantec Certificate Authority|
|December 2015||Duplicate Signature Key Selection Attack in Let's Encrypt|
|October 2015||I Don't Accept the Risk of SHA-1|