'Severe' Systemd Bug Allowed Remote Code Execution For Two Years

ITWire reports: A flaw in systemd, the init system used on many Linux systems, can be exploited using a malicious DNS query to either crash a system or to run code remotely. The vulnerability resides in the daemon systemd-resolved and can be triggered using a TCP payload, according to Ubuntu developer Chris Coulson. This component can be tricked into allocating less memory than needed for a look-up. When the reply is bigger it overflows the buffer allowing an attacker to overwrite memory. This would result in the process either crashing or it could allow for code execution remotely. "A malicious DNS server can exploit this by responding with a specially crafted TCP payload to trick systemd-resolved in to allocating a buffer that's too small, and subsequently write arbitrary data beyond the end of it," is how Coulson put it.
Affected Linux vendors have pushed out patches -- but the bug has apparently been present in systemd code since June of 2015. And long-time Slashdot reader walterbyrd also reports a recently-discovered bug where systemd unit files that contain illegal usernames get defaulted to root.

Time for tar and feathers?

[chthon]

Anyone?

Re:Time for tar and feathers?

Wow, what a douchebag that guy comes off as.

Re:Time for tar and feathers?

[lucm]

Followed your link, and interestingly:

poettering locked and limited conversation to collaborators 23 hours ago

He's a real team player

Re:Time for tar and feathers?

[squiggleslash]

Not a Lennart critic in general (I usually defend systemd) but I think the GP has a point here.

- The first bug was closed immediately despite systemd treating what Lennart considers an error (debatable) in the worst way possible - escalating a process to root privileges when the user is clearly stating it shouldn't.
- The second bug is an attempt to say "OK, we'll play your game, if you're saying that's correct behavior because of {another issue}, then let's state that {another issue} is also a bug because that's not right either.

In both cases Lennart has immediately closed the ticket without waiting for discussion. He may or may not have reasonable reasons for initially opposing the tickets (he doesn't in the first ticket's case, he absolutely doesn't - root privileges because a username (which you're not even going to bother validating) doesn't look right?! - which is what the GP is complaining about.

This is, frankly, horrifying. systemd is a key part of the GNU/Linux infrastructure, and it exists for a reason: to remove the reliance on shitty, fragile, shell scripts that were all-too-easily made insecure through ignorance or haste. Those who develop it must, absolutely must, listen to and take seriously security concerns. Closing two tickets in a row, immediately, without discussion, concerning a major privilege escalation, still worse because of logic that ultimately boils down to "The user should be smart enough to know some username rules that some developer somewhere pulled out of their arse and which only one or two tools actually enforce", is ridiculously incompetent.

Re:Time for tar and feathers?

[jmccue]

And again, it's not the huge security issue some people make out that it is because in order to create a user with a name starting with a digit and then create a service starting as that user, you have to have root anyway.

true, but - with people downloading packages (rpm/deb/whatever), what if that package contained a unit file with such an ID ? off to root it goes. So does that means a admin after installing a package needs to examine the unit files even if from a trusted source ?

Bugs happen and since systemd is open someone found it and it may very well have been fixed by now. If systemd was proprietary, at this point maybe only the (three letter) orgs would know and keep it a secret. So the development model worked anyway :)

The silly thing is the argument of "is this a bug ? yes/no/yes/no...".

Re:Time for tar and feathers?

[aardvarkjoe]

Poettering's "logic" is pretty much that he doesn't want to adhere to standards just because he doesn't want to. He spouts some nonsense about making the unit files "portable," but that argument really doesn't make any sense in the context of this bug -- how on earth can you justify misinterpreting a username that is valid on some systems as being "portable"?

Re:Time for tar and feathers?

any actual argument beyond "he immediately closes bugs I think are obvious!"

The solution is left as an exercise

Serious users do not consider this a problem

I don't know what the name for this fallacy is, but if nothing else, it's an Appeal to Authority by proxy. It shuts down discussion by implying that if one were at the same exalted intellectual plane as the claimant, then there would be nothing to discuss. And that, by implication, if you consider that there actually is something to discuss, you are inferior.

Given in response to an honest question, it is an attack on the querent, and, as such, intellectual bullying.

Re:Time for tar and feathers?

[AmiMoJo]

Which is really damn obviously false, because the relevant standards permit it and various Linux systems permit it. It's only "not valid" as defined by systemd.

No! This is where you are confused. It's not valid. Some Linux tools allow it, but they shouldn't. The rules for Linux user names say they must not start with a digit, and for good reason (could accidentally insert a space and be treated as a UID, similar to the old "rm /rf / random_dir" mistake).

Re:Time for tar and feathers?

[drinkypoo]

One of us has this backwards... It looks to me like in both cases Lennart is saying that systemd follows the Linux standard, not POSIX.

What Linux standard? The LSB? POSIX is the only other standard involved, and Linux tends to follow POSIX in spite of the many protestations that Linux is not POSIX.

Re:Time for tar and feathers?

[squiggleslash]

One of us has this backwards... It looks to me like in both cases Lennart is saying that systemd follows the Linux standard, not POSIX. Under the Linux rules on usernames they can't start with a number, so using "0day" as a username is invalid and the service won't start because the user doesn't exist.

Neither of us have it backwards. First ticket is Lennart essentially saying "It's OK for systemd to run an application as root when a user specifies an username beginning with a digit because I (Lennart) think the user has made an error, a username shouldn't begin with a digit (his justification being what you're saying.) The second is saying "We shouldn't treat a username beginning with a digit as an error".

It's debatable it is a "Linux" standard to begin with. Only one of the two command line tools to add users actually enforces this supposed rule. Literally nothing else does. The kernel is agnostic. And the command line tools aren't Linux, they're GNU. So what we're looking for is evidence that (1) RMS or an officer blessed by RMS has declared this to be a standard and (2) No declaration since has placed POSIX compatibility ahead of legacy GNU functionality.

Both tickets are entirely reasonable and not one of them should have been closed without discussion. Actually, let me correct that, the first should have been closed with just a note along the lines of "Fuck me! You're right! Personally I think {Inserts personal beliefs about "Linux"'s username policy here} so I'll just have it output an error message and not start the daemon", not "Ha, user is an idiot! LOL ROLF APK!! EVERYONE knows usernames begin with letters LOL! Root privileges for everyone!"

Re:Time for tar and feathers?

[aardvarkjoe]

What happens when someone creates a user whose username is purely numeric and that number is different from the uid? What happens when a hacker creates a user with a username of "1" (eg. the uid of root)? Should systemd treat that as root (assuming "1" is a uid) or as the user with username "1" (uid is above 100)?

It would be sensible to disallow creation of all-numeric user names, because of the reasons you stated (far too likely that somebody is doing something nasty.) But disallowing them really doesn't fall under systemd's purview, since systemd is not the manager of the username database. And even if we decided that all-numeric usernames should be disallowed, systemd's totally braindead behavior of granting root access if you try to use one would still be wrong.

In today's environment, we can't afford security to be an afterthought, especially in an extremely pervasive and complex piece of software like systemd.

The problem with systemd

[SharpFang]

That's a problem with Systemd. It's a pretty decent idea with a sub-par execution and a crappy way of dealing with an inherent problem.

Idea: centralized place to optimize startup, management and interconnectivity of all kinds of services.

Problem: some services in their standard form don't quite fit that model.

Solution: let's rewrite them and include as parts of systemd.

The crap part: while the originals were made by experts in that field, the replacements are made by a group of wannabe experts on everything ever, some with overinflated ego. This results in seriously inferior code replacing old 'tried and true' solutions.

At this point, the only real solution I can see is making a fork of systemd, banning the current systemd creators from participating in it, and trimming it to size. If a service doesn't quite fit systemd, work on systemd until it fits, don't rewrite it!

Re:The problem with systemd

[Viol8]

"Some of it is even insecure by design "

So because all software has bugs we should just say: "Meh, who cares if systemd is bloated, has monumental feature creep, an author with a serious ego problem who doesn't like fixing them and it replaced an init which, while a bit crusty did what it said on the tin, because, well, systemd." Right?

Wrong. Systemd, is a poor idea, poorly implemented in a project thats poorly managed. Quite why redhat are in thrall to the arrogant little twerp in charge is anyones guess.

Re:The problem with systemd

That's a problem with Systemd. It's a pretty decent idea with a sub-par execution and a crappy way of dealing with an inherent problem.

If by "decent" you mean "spectacularly stupid, fantastically bad, terrible to depraved depths, will never work properly", then yes.

The problems with basically anything written by poettering and crew start with them being... let's be polite here, not very good with this "software architecture" thingy. Their approaches to any problem they're setting out to solve, real or imagined, are baroque, juvenile, overly complex, brittle, prone to spectacular breakage, and so is their entire everything else.

Yes, there are problems with the software they're seeking to replace, but that doesn't mean their solutions are anything of the sort. We're seeing time and again that their improvements are in fact detriments and so even as a simple user you're typically better off without.

It also doesn't mean the problems cannot be solved some other way. In fact, we have at least a dozen replacements for sysvinit, fully half of which would certainly better than systemd. So there really is no point to use their software at all except because you like sticking to fantastiterribad ideas.

Among poettering and crew's many failings is that they have no truck at all with "the Unix philosophy". If they are dimly aware of where that came from, at best they'll wilfully do something else, just to "be different". Linux' own dave cutler, with fanclub, if you will.

This is quite damaging. So why are red hat still backing poettering and crew? In short, politics. They're having their lunch eaten by oracle, yet they're bound by the GPL, so they're trying a different tack. And for them it's working fine, to the point that many other linux distributions are following their lead.

Which, frankly, is entirely stupid from the other projects' users' PoV. But too many in the community don't grasp the finer points of what's really going on (did you know red hat and oracle are in a corporate war of domination, with oracle doing a good cuckoo impression?) so they'll just bob along with the currents, to their detriment.

I don't expect poettering and crew to understand that they're red hat's useful idiots in this, mind. They might, but from their works I'm inferring they're just not that bright.

So the simple solution is really quite simpler than your proposal: Do away with the poettering crap. Just out with it. All of it. No exceptions. Yes, some things will break, most of which well deserve to break. Some in fact don't even need fixing. Then we can fix the important broken bits, preferrably in a sensible, simple way that keeps well to itself, and doesn't try to overpower fifty other unrelated subsystems. A little architecture and some (un)common decency go a long way here.

Re:The problem with systemd

[SharpFang]

Because "the crap part" is not what is written on the box. Systemd *appears* attractive. The idea is neat. The promise is tempting.

Including systemd in your distro is like preordering No Man's Sky.

Re: The problem with systemd

And, security problems + no logs = even bigger problem. Even if he doesn't get why logs are important for security, I wish he would get why they're needed for troubleshooting. It sucks managing a lot of special snowflake servers with systemd since so often error messages don't make it to the journal.

Re:The problem with systemd

Which is why all the technical leads of various distributions couldn't wait to adopt it...

...wherever its promoters had managed to remove the opposition through politicking. No success *at all* anywhere else.

Wake us up when anyone adopts systemd-trojan *voluntarily*. Till then, do abstain from crowing.

Re:The problem with systemd

[ckatko]

There is no one on the internet who uses Linux who hasn't heard a hate-filled rant calling systemd a piece of shit.

Every comment section, of every website. Reddit. Slashdot. Mailing lists.

So you're welcome to come up with a new reason for why everyone uses it "even though it sucks." But your reason of "nobody knew it would suck" is complete bullshit.

Re: The problem with systemd

[lucm]

Lately I had a flaky service and to get it working I ended up wrapping the daemon in a shell script, and had systemd call that shell script instead. I still had to fight with systemctl because apparently it knows better than me how long a daemon should take to start before giving up, but I managed to get it working *in spite* of systemd.

Now I have a Docker-first policy and for the most part it's to avoid dealing with systemd.

Re:The problem with systemd

[aardvarkjoe]

For example, recently it was found that some tools to add users allow the username to start with a number, which isn't allowed by the spec and can result in such a user (e.g. "0day") getting root access. Been there for a long, long time because apparently no-one does even basic tests on such critical bits of software to make sure it complies with he established rules.

This is gold. You're throwing an absolute hissy fit over people saying that systemd is responsible for the bug in question. Then you turn around and claim that the real fault is in long-established tools for not following your (imagined) rules, and exposing a serious security bug in your new systemd code.

What we really need is people dedicated to testing important OS code. It's a boring job that no-one wants, and anyone who takes it on will probably give up quickly as their bug reports are met with abuse and indifference.

.... I bet you don't even realize the irony of this coming from a systemd supporter.

Surprised?

[MrKaos]

No.

From all of us Linux greybeards:

[Gravis+Zero]

We told you so.

No, its not a pretty decent idea

[Viol8]

"centralized place to optimize startup, management and interconnectivity of all kinds of services."

Sorry, thats not how its done in Unix. We don't want a huge monolithic application as init since that brings a huge attack surface to the most important process in the OS, not to mention a bug in a service that doesn't belong there potentially bringing down the entire system.

Re:No, its not a pretty decent idea

[Tranzistors]

We don't want a huge monolithic application as init since that brings a huge attack surface to the most important process in the OS

Perhaps we need to get rid of Linux kernel as well. But seriously, to reduce the attack surface, just disable unused services (the article even points out that Debian has systemd-resolved disabled by default). systemd is modular.

I expect nothing less from Poettering

Remote exploits in critical system services? I expect nothing less from the PulseAudio creator.

If you're not familiar with smoke any mirrors from the SystemD PR king, then perhaps these inherent flaws in his projects comes as a surprise to you. But for years a handful of people tried to put the brakes on Poettering and his cronies from hijacking Linux and turning it into his egotistical vision of desktop Unix.

We have failed.

Re: Now it becomes clear...

See, this is textbook example of systemd apologists having zero clue about the software they praise.

Is the INIT part of systemd and PROCESS MANAGEMENT "simply better"? Maybe, probably (with the exception of it ignoring invalid values instead of failing to start, like this 0day issue).

But how on gods goddamned earth is reinventing a DNS recursor, which btw is not RFC compliant (per the developer's OWN words it might NEVER be compliant because that idiot has no clue what resolvers really are), any BETTER?!?! It is not better. It is far worse. They're reinventing something they do NOT properly understand and in the process introduce NEW bugs and insecurities, and reinvent OLD bugs that proper resolvers have gone through in the past decades.

Maybe if you would LEARN what systemd really is inside, maybe then you'd see it's a steaming pile of shit that has LONG gone beyond being an init replacement.

What a load of bollocks.

The design of systemd is that they all adhere together. Claiming this is somehow not systemd is only slightly less silly than claiming it's not systemd because it's in one of the source files not called "systemd.c".

Re:Better distro suggestions?

[fnj]

That's easy. FreeBSD! It is POSIX, UNIX philosophy through and through, and not only completely free of Poetteringitis; it's free of all immature and incompetent vanities and warped design crazes.

Meanwhile in Slackware land...

[Noryungi]

- "Uh? There has been another issue with systemd? Really?"
- "Yeah, but anyway, never mind, we have better things to do."
- "Okay."

Slackware: no systemd, sane defaults, no weirdo patches.

Yeah, it works.

Why does Red Hat allow damage to its reputation?

[Futurepower(R)]

Quotes, with minor modifications to make comments more readable, and some text in bold:

"Systemd is a poor idea, poorly implemented, in a project that's poorly managed."

"... sure is wilfully, deliberately, and very gratuitously, incompatible with everyone else. ... That means a big boon in control for Red Hat.

"I doubt Poettering himself understands his role in this, seeing his grasp of architecture, code quality, and so on, so that makes him a 'useful idiot'. He sure does have the personality to pull it off, though. Incompetent arrogance does go a long way, with the right backing."

Systemd, and the poor way it has been presented, had been damaging to Red Hat's reputation ("Dead Hat"). Why did Red Hat management allow that? Is it because Red Hat makes money providing consulting services, and wants Linux configuration to be difficult so that the company will make more money?

Re:"Intellectually dishonest"

I started with Unix in 1982.

Systemd fails many of the basic Unix concepts. Small, interconnectable tools, text log files, human readable configurations.

Re:The second one

[dbIII]

In systemd, if a unit fails, the ENTIRE init system fails and your system boots in emergency mode.

And that is worse than allowing full escalation to root in what way?
The problem with that development team is a focus on single user laptops and desktops where it doesn't really matter if the user has full root access. They should be paddling in the shallow pool of MS Windows 10 instead of changing something people want to use for servers.

Re:Old News

You're too stupid to understand this. The vulnerable vector is not someone creating a user on your system. The vulnerable vector is not someone installing a unit file without your knowledge.

The vulnerable vector is in TIRED admin typing User= and accidentally starting it with 0. The vulnerable vector is process intended to run unprivileged, running as root.

AND WHY?

ONLY BECAUSE the systemd developer is too arrogant to admit his little shit of a product parses values wrongly.

* Forget POSIX
* Forget whether useradd or shadowutils may or may not allow creating usernames that start with 0
* Forget politics, reasons, distros
* Forget EVERYTHING except ONE little thing: "0string" is ** NOT ** a valid integer value, so don't treat it as one.

Your shitty little parser is WRONGLY parsing the value of User= field. It does not take the WHOLE value in consideration but only the numeric part of it. There is not a single situation where you'd want your program to do that. Absolutely no excuse, no use case, nothing, where "0day" is taken AS A VALID NUMBER 0, regardless how it got there.

garbage-in = garbage-out. That makes systemd a GARBAGE DISPENSER, because it allows garbage-in without validating it.

MS Windows attitude

[dbIII]

With one of those links Lennart wrote:

Yes, as you found out "0day" is not a valid username. I wonder which tool permitted you to create it in the first place ... So, yeah, I don't think there's anything to fix in systemd here.

It's things like this that remind us that Lennart is even now still a newbie who thinks in terms of MS Windows. The tool that could create such a username is any text editor, which is something nearly every sysadmin and nearly any long term user of *nix could have told him.

Who the fuck are you?!

[GeekWithAKnife]

Tarring and feathering would indeed be good -- especially that Lennart as usual insta-closes an obvious and nasty security bug[1] as "non-bug". And when presented with standards documents, he says they don't apply to him [github.com]. Seriously, can someone buy this guy an "Unix for dummies" book? While we don't exactly suffer from a dearth of kooks, this particular kook enjoys having his employer promote his masterpieces even when totally inadequate. The world would be so much better without systemd, PulseAudio and avahi.

Actually nevermind, here's root access.

Re:Even Windows isn't this bad

[F.Ultra]

The problem is not having to wait a few ms for syslog to startup, the problem is that syslog have dependencies (like i.e access to a file system) that needs to be up before it can be started and thus everything that logs before that is missed unless something else does it.

And journald is not something that "everyone hates", some people here on Slashdot does yes, but there are lot's of people out in the real world who uses it and prefers it to the old syslog. I was myself quite sceptical when journald was announced with binary files but now that I've used it for some time I do realise that there are things it does and that it does well that would be just impossible or extremely complicated to do with the old syslog text format (i.e that the journal catches all output from stdout and stderr and joins it with the syslog output by adding the unit name in the meta-data, or that you can search for all logs produced by a special unit without accidentally get logs from other applications mixed in due to them matching the same grep pattern).

Re:"Intellectually dishonest"

[F.Ultra]

How are the unit files not "human readable configurations", especially when compared with the old sysv init scripts?