A dangerous local vulnerability is found in systemd 228 that allows a non-privileged attacker run a code as superuser.
As stated by security researcher Sebastian Krahmer, the problem previously found in systemd can be exploited not only for Linux distribution kit maintenance rejection, but for full access to the system.
The vulnerability occurs when systemd timers are runned initiating touch_file() function that creates files in directories /run, /var/run and /var/lib/systemd/timers/ with 07777 rights (value “–1” is passed by mistake) and SUID bit. The problem was found in the systemd source code in November, 2015 and fixed in January, 2016 before 229 version release. The vulnerability is present only in systemd 228.
A year later Krahmer found out that this problem can be used for privilege escalation up to the superuser level. The vulnerability has been given CVE-2016-10156 identifying code. According to the expert, a PoC exploit is available in the net which can be easily modified for vulnerability exploitation. A hacker needs access to target device for successful attack.