Ubuntu fixes bugs that standard users could use to become root

Ubuntu developers fixed a series of vulnerabilities that allowed standard users to easily gain coveted root privileges.

“This blog post is about a surprisingly simple way to increase privileges on Ubuntu,” GitHub researcher Kevin Backhouse wrote in a Tuesday post. “With a few simple commands in the terminal and a few mouse clicks, a standard user can create an administrator account for themselves.”

The first set of commands triggered a denial of service bug in a daemon called accountsservice, which, as the name suggests, is used to manage user accounts on the computer. To do this, Backhouse created a symbolic link that linked a file named .pam_environment to / dev / zero, changed the regional language setting, and sent a SIGSTOP to the accounts department. With the help of a few more commands, Backhouse was able to set a timer that gave him just enough time to log out of the account before the accounts service went down.

Once done correctly, Ubuntu would restart and open a window allowing the user to create a new account which – you guessed it – had root privileges. Here is a video of the Backhouse attack in action.

Backhouse said that Ubuntu uses a modified version of the Accounts Service that contains code that is not included in the upstream version. The additional code searches for the .pam_environment file in the home directory. By making the file a symbolic link to / dev / zero, .pam_environment gets stuck in an infinite loop.

The second bug involved in the hack was in GNOME’s display manager, which manages user sessions and the login screen, among other things. The Display Manager, which is often abbreviated as gdm3, also triggers the initial configuration of the operating system when it detects that no user currently exists.

“How does gdm3 check the number of users on the system?” Backhouse asked rhetorically. “You’ve probably guessed it already: by asking for demon accounts!” So what if accounts-daemon is not responding? The relevant code is here. “

The vulnerabilities could only be triggered when a person had physical access and a valid account on a vulnerable machine. It only worked on desktop versions of Ubuntu. The maintainers of the open source operating system fixed the bugs last week. Backhouse, who said they found the vulnerabilities by accident, has many more technical details in the blog post above.