Ubuntu Patches Bug That Tricked Gnome Desktop Into Giving Root Access (arstechnica.com) 25
"Ubuntu developers have fixed a series of vulnerabilities that made it easy for standard users to gain coveted root privileges," reports Ars Technica:
"This blog post is about an astonishingly straightforward way to escalate privileges on Ubuntu," Kevin Backhouse, a researcher at GitHub, wrote in a post published on Tuesday. "With a few simple commands in the terminal, and a few mouse clicks, a standard user can create an administrator account for themselves."
The first series of commands triggered a denial-of-service bug in a daemon called accountsservice, which as its name suggests is used to manage user accounts on the computer... With the help of a few extra commands, Backhouse was able to set a timer that gave him just enough time to log out of the account before accountsservice crashed. When done correctly, Ubuntu would restart and open a window that allowed the user to create a new account that — you guessed it — had root privileges...
The second bug involved in the hack resided in the GNOME display manager, which among other things manages user sessions and the login screen. The display manager, which is often abbreviated as gdm3, also triggers the initial setup of the OS when it detects no users currently exist. "How does gdm3 check how many users there are on the system?" Backhouse asked rhetorically. "You probably already guessed it: by asking accounts-daemon! So what happens if accounts-daemon is unresponsive....?"
The vulnerabilities could be triggered only when someone had physical access to, and a valid account on, a vulnerable machine. It worked only on desktop versions of Ubuntu.
"This bug is now tracked as CVE-2020-16125 and rated with a high severity score of 7.2 out of 10. It affects Ubuntu 20.10, Ubuntu 20.04, and Ubuntu 18.04..." reports Bleeping Computer.
They add that the GitHub security research who discovered the bugs "reported them to Ubuntu and GNOME maintainers on October 17, and fixes are available in the latest code."
The first series of commands triggered a denial-of-service bug in a daemon called accountsservice, which as its name suggests is used to manage user accounts on the computer... With the help of a few extra commands, Backhouse was able to set a timer that gave him just enough time to log out of the account before accountsservice crashed. When done correctly, Ubuntu would restart and open a window that allowed the user to create a new account that — you guessed it — had root privileges...
The second bug involved in the hack resided in the GNOME display manager, which among other things manages user sessions and the login screen. The display manager, which is often abbreviated as gdm3, also triggers the initial setup of the OS when it detects no users currently exist. "How does gdm3 check how many users there are on the system?" Backhouse asked rhetorically. "You probably already guessed it: by asking accounts-daemon! So what happens if accounts-daemon is unresponsive....?"
The vulnerabilities could be triggered only when someone had physical access to, and a valid account on, a vulnerable machine. It worked only on desktop versions of Ubuntu.
"This bug is now tracked as CVE-2020-16125 and rated with a high severity score of 7.2 out of 10. It affects Ubuntu 20.10, Ubuntu 20.04, and Ubuntu 18.04..." reports Bleeping Computer.
They add that the GitHub security research who discovered the bugs "reported them to Ubuntu and GNOME maintainers on October 17, and fixes are available in the latest code."
Re: (Score:2, Funny)
Fuck off, you racist cunt.
Windows. Ubuntu. No difference. (Score:2)
Ubuntu managed to turn Linux into a mess of utterly random programs that try to do almost everything automatically. As someone who has to admin Linux servers every day (most of which are running systemd, sadly, but even then), it's barely understandable to me. It does whatever the fuck it wants to. This thing? It's Windows, except running on a Linux kernel.
Re: (Score:2)
Absolutely. Linux is slowly but surely losing the main selling points which led to its initial adoption and success. Being that it was an open Unix-like system which was adaptable to meet any purpose. A key part of that was being simple and understandable by anyone who cared to look at it. With that gone, it's just as opaque and unpredictable as Windows, but with the added disadvantage of having poorer hardware support. It's now on a par with Windows in terms of reliability, so I got to the point where
systemd (Score:2, Interesting)
Strikes again. Taking something that worked fine for decades and then re-implementing it poorly.
Re: (Score:1)
The accounts daemon is a separate entity that uses Dbus and is not part of systemd so I'm not sure what you're on about.
Re: (Score:2)
FWIW I'm on Debian, with systemd, and we just have no account-service daemon.
Perhaps instead of auto-freaking on systemd you may reconsider Ubuntu?
Re: (Score:3)
I've used it enough to see its the Windows of the Linux world. Per your suggestion I found this which is pretty funny https://utcc.utoronto.ca/~cks/... [utoronto.ca]
Re: (Score:2)
Re: (Score:3)
This has nothing to do with systemd. This is a specific Ubuntu issue. Canonical altered Accountsservice to look for .pam_environment (something that does not exist upstream). If you simlink .pam_environment to /dev/zero (and do some other things after) you can force Ubuntu to create a new account which has sudo permissions (is apart of wheel group).
"Tricked Gnome Desktop" (Score:3, Insightful)
security model (Score:2)
Re: (Score:2)
Your security model should not rely on Linux not having privilege escalation exploits (because it has a lot of them).
Can you explain what you mean by that? I can't make sense of the statement without using a very narrow definition of "privilege escalation".
Re: (Score:2)
Making things more complicated typically makes... (Score:2)
...them less secure.
Unfortunately much of the Freedesktop.org Movement has been about making things more complicated. Usually this is to work around subjectively seen limitations.
A typical example is Wayland: It takes valid criticism of X11 to an uninformed conclusion. Instead of looking at more advanced systems like "rio" (Window manage of Plan9) they repeat most of the same mistakes many people have done before. Wayland, for example, still relies on libraries for communication between applications and the
Thanks for all the fish Ubuntu (Score:4, Insightful)
Appreciate what Ubuntu did to popularize Linux on the desktop, but if you're serious then do what everybody else does and move to real Debian or a more intelligently governed fork than Ubuntu. Just leave Ubuntu to be what it does best, a portal for Micro$oft refugees.
Re: (Score:2)
It's the core of Ubuntu that falls apart for me... version upgrade. Falls down humpty dumpty more often than not. Just not thought through at all.
Re: (Score:1)
who would install GNOME and other crap on a server anyway? Seems Ubuntu as a server wouldn't have this issue.
Re: Thanks for all the fish Ubuntu (Score:2)
Agreed. While root access is always a concern, the scenario described makes it a fairly minor exploit.
A user that already has an account on the box and access to the terminal -- meaning they are sitting in front of the box with likely physical access. Both also look like GUI login issues, making it less likely to be a serious server.
It is still a root exploit so deserves attention, but this shouldn't be headline news as similar escalation bugs exist aplenty.
The real WTF is people still using Ubuntu (Score:3)
The real WTF is people still using Ubuntu. I mean, if you want to get specific, Ubuntu had their own fucked up, broken implementation of this daemon since at least 2012 [utoronto.ca]. There are fine distros out there, Ubuntu is (or was) just popular.
daemon for user accounts? WHY???? (Score:1)
Why the fsck is there a daemon managing static data like user accounts???
Astonishingly (Score:1)
Most exploits are astonishingly straightforward. Once they are discovered.