A security researcher at GitHub has reported two Ubuntu Vulnerabilities. These Ubuntu vulnerabilities can help any user gain LPE (Local Privilege Escalation) on the system. Only the Desktop version of Ubuntu is affected by these vulnerabilities. The researcher, Kevin Backhouse discovered these vulnerabilities quite by accident.
The LPE is achieved due to the combined effect of the two vulnerabilities – a timeout flaw in the system’s user registration process and a DoS vulnerability. Both of these vulnerabilities, when combined, can allow any user to create an administrator account without the relevant permissions. This, in turn, allows them to completely take over the devices on which Ubuntu is being run.
The denial-of-service vulnerability
This is a two-stage exploit that allows any user to get administrator access to the system through the accounts service daemon aka accounts-daemon. The accounts-daemon managed the user accounts on the device, from creating accounts to changing passwords. Daemons do not have an interface & run in the background. D-Bus is used by the system settings dialog box to communicate with the accounts-daemon.
Ubuntu tends to use a modified version of accountsservice with extra code. This extra code doesn’t exist within the upstream version maintained by freedesktop. Ubuntu’s patch adds a function named is_in_pam_environment, which looks for a file named .pam_environment within the user’s home directory and reads it.
The denial of service vulnerability works by making .pam_environment a symlink to /dev/zero. Now, /dev/zero may be a special file that doesn’t actually exist on disk. It acts like an infinitely long file whose every byte is zero. So, every time is_in_pam_environment makes an attempt to read .pam_environment the symlink redirects it to /dev/zero. Thus it gets stuck in an infinite loop.
In the second part, a SIGSEGV could be sent to records daemon to crash it. The accounts daemon permits crashing the framework administration. It does so by dropping privileges before it starts reading the user’s .pam_environment. This means the daemon incidentally relinquishes its root privileges, instead adopting to the user’s lower privileges. This was actually set up as a security measure to protect the daemon from malevolent users. But rather, if done wrong it grans the user permission to send daemon signal.
Vulnerability in Gnome
Now, the second bug affects GNOME Display Manager (gdm3), which is a critical part of Ubuntu’s user interface. It manages the login screen & user sessions. It also manages the initial set up on a new device. Gdm3 uses accounts-daemon to check the number of users on any device using D-Bus.
But, due to the aforementioned Ubuntu vulnerability, accounts-daemon becomes unresponsive, failing D-Bus due to timeout. Hence, the code fails to set the value of priv->have_existing_user_accounts, which by default is false. This makes gdm3 presume there are no user accounts on the device, even when there are. In return, gnome-initial-setup is launched. This sets up an administrator profile on the device, giving the attacker complete control over the device.
The accidental discovery
Discovering these vulnerabilities happened quite by accident as confessed by Kevin Backhouse in the GitHub blog. On 14th October 2020, Kevin found multiple denial-of-service bugs in the accountsservice & created a vulnerability report for them. When he stopped working & later reopened his laptop, he had been locked out of his account. This happened since he had forgotten to delete the .pam_environment symlink that he had been experimenting with earlier.
While deleting the accounts-deamon with SIGSEGV, he discovered the gnome-initial-setup dialog box. This led to the discovery of the second vulnerability. Kevin tried to reproduce the steps but was unsuccessful in the attempt. But, by accident, he discovered both these bugs in the system before they could be exploited by any malicious entity.
Both Ubuntu Vulnerabilities Patched!
Both the vulnerabilities have been reported to Ubuntu & have been patched. The Accountsservice vulnerability was patched first by Ubuntu on the 3rd of November. Then the Gnome vulnerability was patched on the 4th of November. Ubuntu has worked impeccably to ensure the security of its users by patching these vulnerabilities in due time.
Though accidentally discovered, these Ubuntu vulnerabilities gave an insight into the risks that Ubuntu users face. Ubuntu is known for its users’ security, but with such vulnerabilities disclosed, their claims come under question. But with timely patching, they have ensured their users’ security yet again.