Ubuntu fixes bugs that standard users could use to get root | GeekComparison

Image of ones and zeros with the word

Ubuntu developers have patched a series of vulnerabilities that made it easy for standard users to gain coveted root privileges.

“This blog post is about an amazingly simple way to escalate privileges on Ubuntu,” Kevin Backhouse, a researcher at GitHub, wrote in a post published Tuesday. “With a few simple commands in the terminal and a few mouse clicks, a standard user can create an administrator account for himself.”

The first set of commands caused a denial-of-service bug in a daemon called accountsservice, which, as the name suggests, is used to manage user accounts on the computer. To do this, Backhouse created a Symlink that linked a file called .pam_environment to /dev/zero, changed the regional language setting, and sent accounts service a SIGSTOP. With the help of a few extra commands, Backhouse was able to set a timer that gave him just enough time to log out of the account before accounts service crashed.

If done correctly, Ubuntu would reboot and open a window where the user could create a new account that had – you guessed it – root privileges. Here’s a video of Backhouse’s attack in action.

Ubuntu 20.04 local privilege escalation using vulnerabilities in gdm3 and accounts service

Backhouse said Ubuntu uses a modified version of accounts service that contains code that is not included in the upstream version. The extra code looks for the .pam_environment file in the home directory. Making the file a symbolic link to /dev/zero causes .pam_environment to get stuck in an infinite loop.

The second bug involved in the hack was in the GNOME display manager, which manages user sessions and the login screen, among other things. The display manager, often abbreviated as gdm3, also triggers the initial installation of the operating system when it detects that there are currently no users.

“How does gdm3 check how many users are on the system?” asked Backhouse rhetorically. “You probably guessed it: by asking accounts-daemon! So what happens if accounts daemon is not responding? The relevant code is here.”

The vulnerabilities could only be activated if someone had physical access and a valid account on a vulnerable machine. It only worked on desktop versions of Ubuntu. Administrators of the open source operating system patched the bugs last week. Backhouse, who said he found the vulnerabilities by accident, has much more technical detail in the blog post linked above.

Leave a Comment