Bug 1119056 - Root exploit at uid overflowing attack with systemctl: CVE-2018-19788
Root exploit at uid overflowing attack with systemctl: CVE-2018-19788
Status: RESOLVED DUPLICATE of bug 1118277
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security
Current
Other Other
: P1 - Urgent : Critical (vote)
: ---
Assigned To: Security Team bot
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-12-11 06:18 UTC by Zhiyuan Gao
Modified: 2018-12-19 23:37 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Zhiyuan Gao 2018-12-11 06:18:58 UTC
A user with uid larger than INT_MAX would have privilege to use systemctl. It can also use `systemd-run -t /bin/bash` to create a shell with root privilege which means root exploitation.  

Also, this new user can not be logged in using graphics interface. It would hang on the login prompt and rolls back to the previous scene.

It is known as CVE-2018-19788 and found in many other distributions.

Reproducible: Always

Steps to Reproduce:
1. switched to textmode using `systemctl set-default multi-user.target` and reboot
2. login as root
3. useradd bug && passwd bug
4. vi /etc/passwd (change uid to 3000001001)
5. logout and login as bug
6. systemctl enable fail2ban(fail2ban is just an example. Feel free to try other services)
7. ls -al /etc/systemd/system/multi-user.target.wants/fail2ban.service

Or in graphics mode terminal
1. sudo su && useradd bug && passwd bug
2. su bug
3. vi /etc/passwd (change uid to 3000001001)
4. systemctl enable fail2ban(fail2ban is just an example. Feel free to try other services)
5. ls -al /etc/systemd/system/multi-user.target.wants/fail2ban.service

Actual Results:  
systemctl commands are executed though there's a assertion warning about uid out of range

Expected Results:  
Authentication should be needed for systemctl
Comment 1 Zhiyuan Gao 2018-12-11 06:29:25 UTC
Duplicated to bug #1118274

*** This bug has been marked as a duplicate of bug 1118277 ***