Ubuntu fixes bugs that standard users could use to become root
#1
Ubuntu developers have fixed a series of vulnerabilities that made it easy for standard users to gain coveted root privileges.

Quote:“This blog post is about an astonishingly straightforward way to escalate privileges on Ubuntu,” Kevin Backhouse, a researcher at GitHub, wrote in a post published on Tuesday.

“With a few simple commands in the terminal, and a few mouse clicks, a standard user can create an administrator account for themselves.”


The first series of commands triggered a denial-of-service bug in a daemon called accountsservice, which as its name suggests is used to manage user accounts on the computer. To do this, Backhouse created a Symlink that linked a file named .pam_environment to /dev/zero, changed the regional language setting, and sent accountsservice a SIGSTOP. With the help of a few extra commands, Backhouse was able to set a timer that gave him just enough time to log out of the account before accountsservice crashed.

When done correctly, Ubuntu would restart and open a window that allowed the user to create a new account that—you guessed it—had root privileges. Here’s a video of Backhouse’s attack in action.

Backhouse said that Ubuntu uses a modified version of accountsservice that contains code that’s not included in the upstream version. The extra code looks for the .pam_environment file in the home directory. By making the file a symlink to /dev/zero, .pam_environment gets stuck in an infinite loop.

The second bug involved in the hack resided in the GNOME display manager, which among other things manages user sessions and the login screen. The display manager, which is often abbreviated as gdm3, also triggers the initial setup of the OS when it detects no users currently exist.

Quote:“How does gdm3 check how many users there are on the system?” Backhouse asked rhetorically. “You probably already guessed it: by asking accounts-daemon! So what happens if accounts-daemon is unresponsive? The relevant code is here.”


The vulnerabilities could be triggered only when someone had physical access to, and a valid account on, a vulnerable machine. It worked only on desktop versions of Ubuntu. 

Maintainers of the open source OS patched the bugs last week.

Backhouse said he found the vulnerabilities by accident.







https://arstechnica.com/information-tech...come-root/
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Credit Card use gganderson 10 37,395 Jul 03, 2023, 01:26 am
Last Post: Mint555
  Australia: NSW Government to ban use and posession of encrypted devices Resurgence 4 14,625 Jul 04, 2022, 10:26 am
Last Post: FurriesRock
  Canada’s national police force admits use of spyware to hack phones Resurgence 0 11,163 Jun 30, 2022, 01:47 am
Last Post: Resurgence
  Online trackers can detect 80% of users' browsing history Resurgence 1 12,334 Feb 07, 2022, 22:19 pm
Last Post: balder
  Canada’s privacy watchdog probing health officials’ use of cellphone location data Resurgence 0 12,113 Jan 17, 2022, 21:29 pm
Last Post: Resurgence



Users browsing this thread: 1 Guest(s)