Ubuntu fixes bugs that normal customers may use to grow to be root


Ubuntu developers fixed a number of security vulnerabilities that made it easy for standard users to gain coveted root privileges.

"This blog post is about an amazingly simple way to extend Ubuntu's privileges," wrote Kevin Backhouse, a researcher at GitHub, in a post posted Tuesday. "With a few simple commands in the terminal and a few clicks of the mouse, a standard user can create an administrator account for himself."

The first set of commands threw a denial of service error in a daemon called Accountservice, which, as the name suggests, is used to manage user accounts on the computer. For this purpose, Backhouse created a symlink that linked a file with the name .pam_environment to / dev / zero, changed the regional language setting and sent a SIGSTOP to the account service. With the help of a few additional commands, Backhouse was able to set a timer that gave him just enough time to log out of the account before the account service crashed.

If executed correctly, Ubuntu would restart and open a window that allowed the user to create a new account that – you guessed it – had root privileges. Here is a video of Backhouse's attack in action.

Escalation of local Ubuntu 20.04 permissions using security holes in gdm3 and account service

According to Backhouse, Ubuntu uses a modified version of Accountservice that contains code that is not in the upstream version. The additional code looks for the .pam_environment file in the home directory. If you symlink the file to / dev / zero, .pam_environment will get stuck in an infinite loop.

The second bug that was involved in the hack was in the GNOME display manager, which manages user sessions and the login screen, among other things. The display manager, often abbreviated as gdm3, also triggers the initial setup of the operating system when it is determined that there are currently no users. advertising

"How does gdm3 check how many users are on the system?" Backhouse asked rhetorically. "You have probably already guessed it: by asking for the account daemon!" So what if the account daemon doesn't respond? The corresponding code is here. "

The vulnerabilities could only be triggered if someone had physical access to a vulnerable computer and a valid account on that computer. It only worked on desktop versions of Ubuntu. The maintainers of the open source operating system fixed the bugs last week. Backhouse, who said he found the vulnerabilities by accident, has many more technical details in the blog post linked above.


Steven Gregory