Bugzilla – Bug 1119056
Root exploit at uid overflowing attack with systemctl: CVE-2018-19788
Last modified: 2018-12-19 23:37:45 UTC
A user with uid larger than INT_MAX would have privilege to use systemctl. It can also use `systemd-run -t /bin/bash` to create a shell with root privilege which means root exploitation.
Also, this new user can not be logged in using graphics interface. It would hang on the login prompt and rolls back to the previous scene.
It is known as CVE-2018-19788 and found in many other distributions.
Steps to Reproduce:
1. switched to textmode using `systemctl set-default multi-user.target` and reboot
2. login as root
3. useradd bug && passwd bug
4. vi /etc/passwd (change uid to 3000001001)
5. logout and login as bug
6. systemctl enable fail2ban(fail2ban is just an example. Feel free to try other services)
7. ls -al /etc/systemd/system/multi-user.target.wants/fail2ban.service
Or in graphics mode terminal
1. sudo su && useradd bug && passwd bug
2. su bug
3. vi /etc/passwd (change uid to 3000001001)
4. systemctl enable fail2ban(fail2ban is just an example. Feel free to try other services)
5. ls -al /etc/systemd/system/multi-user.target.wants/fail2ban.service
systemctl commands are executed though there's a assertion warning about uid out of range
Authentication should be needed for systemctl
Duplicated to bug #1118274
*** This bug has been marked as a duplicate of bug 1118277 ***