PoC to demonstrate root permission hijacking by exploiting “systemd-run”

https://twitter.com/hackerfantastic/status/1785495587514638559

Lennart Poettering intends to replace "sudo" with systemd's run0. Here's a quick PoC to demonstrate root permission hijacking by exploiting the fact "systemd-run" (the basis of uid0/run0, the sudo replacer) creates a user owned pty for communication with the new "root" process.

Don't miss what's happening

People on X are the first to know.

{
"by": "mariuz",
"descendants": 19,
"id": 40247399,
"kids": [
40247802,
40247788,
40248293,
40248244,
40254216,
40258100,
40258711,
40247771
],
"score": 31,
"time": 1714742639,
"title": "PoC to demonstrate root permission hijacking by exploiting “systemd-run”",
"type": "story",
"url": "https://twitter.com/hackerfantastic/status/1785495587514638559"
}
{
"author": null,
"date": "2024-05-01T02:24:55.000Z",
"description": "Lennart Poettering intends to replace “sudo” with systemd’s run0. Here’s a quick PoC to demonstrate root permission hijacking by exploiting the fact “systemd-run” (the basis of uid0/run0, the sudo replacer) creates a user owned pty for communication with the new “root” process.",
"image": "https://abs.twimg.com/rweb/ssr/default/v2/og/image.png",
"logo": null,
"publisher": "Twitter",
"title": "hacker.house (@hackerfantastic) on X",
"url": "https://x.com/hackerfantastic/status/1785495587514638559"
}
{
"url": "https://twitter.com/hackerfantastic/status/1785495587514638559",
"title": "hacker.house (@hackerfantastic) on X",
"description": "PostLog inSign upPosthacker.house@hackerfantasticLennart Poettering intends to replace \"sudo\" with systemd's run0. Here's a quick PoC to demonstrate root permission hijacking by exploiting the fact...",
"links": [
"https://x.com/hackerfantastic/status/1785495587514638559",
"https://twitter.com/hackerfantastic/status/1785495587514638559"
],
"image": "https://pbs.twimg.com/profile_images/1975213057216245760/3x5q1Pv__normal.png",
"content": "<div><div></div><div><div><p></p><h2>Post</h2><p></p><div><p><a target=\"_blank\" href=\"https://twitter.com/i/jf/onboarding/web?mode=login\">Log in</a><a target=\"_blank\" href=\"https://twitter.com/i/jf/onboarding/web?mode=signup\">Sign up</a></p></div></div><div><p></p><h2>Post</h2><p></p></div></div><div><article><div></div><div><div><div><div><p><a target=\"_blank\" href=\"https://x.com/hackerfantastic\"><img alt=\"user avatar\" src=\"https://pbs.twimg.com/profile_images/1975213057216245760/3x5q1Pv__normal.png\" srcset=\"https://pbs.twimg.com/profile_images/1975213057216245760/3x5q1Pv__mini.png 24w, https://pbs.twimg.com/profile_images/1975213057216245760/3x5q1Pv__normal.png 48w, https://pbs.twimg.com/profile_images/1975213057216245760/3x5q1Pv__bigger.png 73w, https://pbs.twimg.com/profile_images/1975213057216245760/3x5q1Pv__x96.png 96w, https://pbs.twimg.com/profile_images/1975213057216245760/3x5q1Pv__200x200.png 200w, https://pbs.twimg.com/profile_images/1975213057216245760/3x5q1Pv__400x400.png 400w\" /></a></p></div><div><div><p><a target=\"_blank\" href=\"https://x.com/hackerfantastic\">hacker.house</a></p></div><div><p><a target=\"_blank\" href=\"https://x.com/hackerfantastic\">@hackerfantastic</a></p></div></div></div><div><p><span>Lennart Poettering intends to replace \"sudo\" with systemd's run0. Here's a quick PoC to demonstrate root permission hijacking by exploiting the fact \"systemd-run\" (the basis of uid0/run0, the sudo replacer) creates a user owned pty for communication with the new \"root\" process.</span></p><div><div><p><a target=\"_blank\" href=\"https://twitter.com/hackerfantastic/status/1785495587514638559/photo/1\"><img src=\"https://pbs.twimg.com/media/GMdanXOWkAAwG4K?format=webp&amp;name=medium\" srcset=\"https://pbs.twimg.com/media/GMdanXOWkAAwG4K?format=webp&amp;name=small 680w, https://pbs.twimg.com/media/GMdanXOWkAAwG4K?format=webp&amp;name=medium 1200w, https://pbs.twimg.com/media/GMdanXOWkAAwG4K?format=webp&amp;name=large 2048w\" /></a></p></div><div><p><a target=\"_blank\" href=\"https://twitter.com/hackerfantastic/status/1785495587514638559/photo/2\"><img src=\"https://pbs.twimg.com/media/GMdan9DWEAAmOyF?format=webp&amp;name=medium\" srcset=\"https://pbs.twimg.com/media/GMdan9DWEAAmOyF?format=webp&amp;name=small 680w, https://pbs.twimg.com/media/GMdan9DWEAAmOyF?format=webp&amp;name=medium 1200w, https://pbs.twimg.com/media/GMdan9DWEAAmOyF?format=webp&amp;name=large 2048w\" /></a></p></div></div><div><p><span><a target=\"_blank\" href=\"https://twitter.com/hackerfantastic/status/1785495587514638559\">2:24 AM · May 1, 2024</a></span><span><a target=\"_blank\" href=\"https://x.com/hackerfantastic/status/1785495587514638559\"><span>377.6K</span><span>Views</span></a></span></p></div></div></div></div></article></div><div><div><p>Don't miss what's happening</p><p>People on X are the first to know.</p></div><div><p><a target=\"_blank\" href=\"https://twitter.com/i/jf/onboarding/web?mode=login\">Log in</a><a target=\"_blank\" href=\"https://twitter.com/i/jf/onboarding/web?mode=signup\">Sign up</a></p></div></div></div>",
"author": "@hackerfantastic",
"favicon": "https://twitter.com/favicon.ico",
"source": "twitter.com",
"published": "2024-05-01T02:24:55.000Z",
"ttr": 13,
"type": "article"
}