Child porn in systemd journal? Yes, we can.

Not yet discussed threat of systemd journal
There already has been a lot of discussion and flamewar about systemd. I’m not going to flame in this post. I’m going to show you one of the possible threats of using systemd that has not been discussed anywhere so far.
The problem is child porn and it’s storing in systemd journal. If you want to read more about this problem, just keep reading. Systemd journal uses structured binary log files to store logs. These are to be read via journalctl utility. Journalctl utility by default shows only a finite subset of all fields that has been logged to journal. Hence it’s not showing anything else, so it’s quite easy to store some malicious content, e.g. child pornography, malware or extremist material there without being noticed.
I’m not sure whether this is on purpose or if someone just wasn’t able to see all consequences this can have. In both cases, this problem is something that in my opinion should be discussed in public.

Example of hiding child pornography image in systemd journal
This paragraph shows how to use systemd journal to store child porn and how to withdraw it from logs. I’ve decided to publish theese two utilities to rise awareness about this problem in systemd journal.
Following utility is designed to store child porn image in journal logs. It simply reads image and stores it as additional field in journal log. Compile it with cc -g store_cp.c -o store_cp -lsystemd-journal $(pkg-config –cflags –libs glib-2.0) or similar command.

#include <systemd/sd-journal.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <glib.h>

#define MAXSIZE 10*1024*1024

int getfile(char *filename, char *out)
{
FILE *fp;
int c, byte_count;

fp = fopen(filename, “rb”);

byte_count=0;
while( (c=getc(fp)) != EOF ) {
if (byte_count >= MAXSIZE) {
break;
}
out[byte_count] = c;
byte_count++;
}
out[byte_count]=0x00;

fclose(fp);
return byte_count;
}

int main(int argc, char *argv[])
{
char *x;
char *xout;

if (argc != 2) {
printf(“Usage: ./log file\n”);
exit(1);
}

x = malloc(MAXSIZE);
memset(x, 0x00, MAXSIZE);
int size = getfile(argv[1], x);

guchar *input;
input = (guchar *)x;
gchar *output;
output = g_base64_encode(input, size);

sd_journal_send(“MESSAGE=Metadata cache bound hipster”,
“MESSAGE_ID=deaddeaddeaddeaddeaddeaddeaddead”,
“PRIORITY=5”,
“HOME=%s”, getenv(“HOME”),
“TERM=%s”, getenv(“TERM”),
“PAGE_SIZE=%li”, sysconf(_SC_PAGESIZE),
“N_CPUS=%li”, sysconf(_SC_NPROCESSORS_ONLN),
“PORN=%s”,output,
NULL);
return 0;
}

cp

As an example, you can use this image (which is by the ways recognized as child pornography in some states and you can go to prison just by loading this web page :-)) and store it in your systemd journal:
> ./store_cp cp.png
>
If you now use journalctl, you can see, that there is no sign of any child pornography stored.
If you want to retrieve this image, just use this or similar simple shell script:

#!/bin/sh
journalctl  –output=export | grep PORN | tail -1 | sed ‘s/^PORN=//’ | base64 –decode > outputporn.png

Now you have retrieved image, that has been hidden in systemd journal log stored as outputporn.png.

How can you solve this problem
So… we are facing problem with systemd journal logs. Someone, whether it’s some attacker, pedophile, terrorist or anyone else, can store some malicious content in systemd journal without being noticed with journalctl or journalctl -f commands.
What should you do about it? I recommend stop using journal. And as it’s so fucking tightly integrated within systemd… you probably should stop using systemd as a whole if you don’t want to be suspected of being pedophile. I personally recommend using either rsyslog or syslog-ng. When you use syslog and just use cat /var/log/messages as usual, you will see any suspicious data that could be logged.
I hope this blog post helped you realize the problems that systemd journal can lead to.