Skip to content

7 Comments

  1. Patrick Schaaf

    Ziemlicher Bullshit Score für einen Bug, bei dem ein admin aktiv in einer von ihm mundgeblasenen unit einen user schreiben muss der \d+.* matcht.

    Aber es schiesst ja gegen systemd, das gibt bestimmt gleich immer ein +5.

    (nein, ich meine nicht dass das wirklich not-a-bug ist, aber der impact…)

    • kris kris

      As of now, that 9.8 score is in reconsideration. Most likely for the reasons you state.

      As of now, that 9.8 score is in reconsideration. Most likely for the reasons you state.

  2. Marcus Meissner

    The CVSSv3 score is totally off.

    AV:L (ocal),
    PR:H(igh) at least root needs to be ordered to run a service
    UI: R (user interaction with admin required)

    score 6.3 or so

  3. Stefan Funke

    Network exploitable? -v anyone?

  4. If this gets exploited, I’d guess it happens by installing a rpm or deb package that ships a funny[tm] *.service file.

    User= allows usernames or UIDs, for example User=3𝟢

    My example looks sane?

    That’s what code or package reviewers (if there is any review at all) probably think. However, the “𝟢” is not the digit zero, it is “1D7E2 mathematical sans-serif digit zero” and that package/*.service has just rooted you 😉

    You don’t even need unicode – “User=3O” with uppercase letter “O” might already look good enough.

    And since you typically download your rpms and debs, this is why someone could call this network exploitable.

    That said: I agree that 9.8 is too much – but it’s closer to the truth than not-a-bug.

  5. cjk

    Eh, why does it even allow any UIDs at all. Yes it’s technically possible (“just because™” part), but when was the last time you used such? Writing User=1337 into a service would require most people to have a secondary look at passwd what 1337 maps to.

    • kris kris

      Because sometimes these things matter (e.g. in any NFS environment).

Leave a Reply

Your email address will not be published. Required fields are marked *