systemd-journald ANSI Escape Sequence Injection Vulnerability in ForwardToWall Enabled Configurations

A vulnerability exists in systemd version 259, specifically within the systemd-journald component. When the 'ForwardToWall' option is enabled, systemd-journald can transmit ANSI escape sequences to the terminals of arbitrary users. This occurs when an 'emerg' priority log message is sent using the 'logger' command. The vulnerability takes advantage of the default logging behavior in certain Linux distributions, including Ubuntu 26.04 pre-release and Arch Linux, where 'ForwardToWall' is set to 'yes'. This flaw can potentially be exploited to execute arbitrary code as root by manipulating terminal emulator vulnerabilities, particularly in XTerm.

Impact

Exploitation of this vulnerability allows for the injection of malicious ANSI escape sequences into other users' terminal sessions. This could be used to exploit known vulnerabilities in terminal emulators, such as XTerm, to execute arbitrary code with root privileges, especially if a root shell is open in the vulnerable terminal.

Reproduction

To reproduce this vulnerability, open two terminal windows as a non-root user. In one window, initiate a root shell using 'sudo -i'. In the other window, send an emerg-level log message with an ANSI escape sequence using the 'logger' command. The message will appear in the first terminal window, with the escape sequence applied, demonstrating the injection of unescaped characters into the terminal.

Remediation

Users can disable the 'ForwardToWall' option in systemd-journald's configuration file or add 'systemd.journald.forward_to_wall=no' to their kernel command line.