How to get root on Ubuntu 20.04 by pretending nobody’s /home

I’m partial to Ubuntu, so I’d take to lend a hand maintain it as receive as in all probability. I even maintain just lately spent moderately a total lot of time making an are trying to search out security vulnerabilities in Ubuntu’s machine companies and products, and it has largely been an disclose in frustration. I even maintain stumbled on (and reported) just a few points, but the majority had been low severity. Ubuntu is originate provide, meaning that many of us maintain checked out the provision code forward of me, and it appears to be like admire the total straightforward bugs maintain already been stumbled on. In a form of phrases, I don’t need this blog put up to present you the impact that Ubuntu is stuffed with trivial security bugs; that’s no longer been my impact up to now.

This blog put up is about an astonishingly easy system to escalate privileges on Ubuntu. With just a few straightforward commands within the terminal, and some mouse clicks, a venerable particular person can originate an administrator account for themselves. I even maintain made a immediate demo video, to tag how straightforward it’s some distance.

It be uncommon for a vulnerability on a contemporary running machine to be this straightforward to milk. I even maintain, on some occasions, written thousands of strains of code to milk a vulnerability. Most up-to-date exploits involve no longer easy trickery, admire the disclose of a memory corruption vulnerability to forge fallacious objects within the heap, or replacing a file with a symlink with microsecond accuracy to milk a TOCTOU vulnerability. So this point to day it’s barely uncommon to search out a vulnerability that doesn’t require coding skills to milk. I moreover judge the vulnerability is easy to private, even must you’ll want to presumably well presumably no longer maintain any prior recordsdata of how Ubuntu works or any security review journey.

Disclaimer: For somebody to milk this vulnerability, they need entry to the graphical desktop session of the machine, so this topic affects desktop users most attention-grabbing.

Here is an elaborate of the exploitation steps, as shown within the demo video.

First, originate a terminal and originate a symlink to your admire home directory:

ln -s /dev/zero .pam_environment

(If that doesn’t work because of a file named .pam_environment already exists, then correct temporarily rename the worn file in pronounce that you’ll want to presumably well presumably also restore it later.)

Subsequent, originate “Jam & Language” within the machine settings and pick a search at to exchange the language. The dialog box will freeze, so correct ignore it and return to the terminal. At this point, a program named accounts-daemon is titillating 100% of a CPU core, so your laptop could presumably well also was slack and commence as much as get sizzling.

Within the terminal, delete the symlink. In another case you’ll want to presumably well presumably lock yourself out of your admire account!

rm .pam_environment

The next step is to ship a SIGSTOP signal to accounts-daemon to extinguish it from thrashing that CPU core. Nonetheless to create that, you first must know accounts-daemon’s assignment identifier (PID). Within the video, I create that by running high, which is a utility for monitoring the running processes. Because accounts-daemon is caught in an infinite loop, it mercurial goes to the high of the checklist. But another system to search out the PID is with the pidof utility:

$ pidof accounts-daemon

Armed with accounts-daemon’s PID, you’ll want to presumably well presumably also disclose murder to ship the SIGSTOP signal:

murder -SIGSTOP 597

Your laptop can pick a breather now.

Here is the essential step. You’re going to log out of your account, but first you desire to space a timer to reset accounts-daemon after you’ll want to presumably well presumably even maintain logged out. In another case you’ll correct be locked out and the exploit will fail. (Don’t dread if this happens: every thing will seemingly be serve to traditional after a reboot.) Here’s how one can space the timer:

nohup bash -c "sleep 30s; murder -SIGSEGV 597; murder -SIGCONT 597"

The nohup utility is a straightforward system to dash away a script running after you’ll want to presumably well presumably even maintain logged out. This exclaim tells it to escape a bash script that does three issues:

  1. Sleep for 30 seconds. (You correct must give yourself enough time to log out. I space it to 10 seconds for the video.)
  2. Send accounts-daemon a SIGSEGV signal, that will presumably well also maintain it atomize.
  3. Send accounts-daemon a SIGCONT signal to deactivate the SIGSTOP, which you despatched earlier. The SIGSEGV won’t pick quit till the SIGCONT is bought.

Once accomplished, log out and wait just a few seconds for the SIGSEGV to detonate. If the exploit is winning, then you’ll seemingly be supplied with a sequence of dialog containers which mean you’ll want to presumably well presumably also originate a brand aloof particular person account. The aloof particular person account is an administrator account. (Within the video, I escape id to tag that the aloof particular person is a member of the sudo neighborhood, meaning that it has root privileges.)


Dwell with me! Even must you’ll want to presumably well presumably no longer maintain any prior recordsdata of how Ubuntu (or extra specifically, GNOME) works, I reckon I can demonstrate this vulnerability to you. There are undoubtedly two bugs fervent. The first is in accountsservice, which is a provider that manages particular person accounts on the laptop. The 2nd is in GNOME Point to Supervisor (gdm3), which, amongst a form of issues, handles the login show camouflage. I’ll demonstrate every of these bugs separately under.

accountsservice denial of provider (GHSL-2020-187, GHSL-2020-188 / CVE-2020-16126, CVE-2020-16127)

The accountsservice daemon (accounts-daemon) is a machine provider that manages particular person accounts on the machine. It must create issues admire originate a brand aloof particular person account or exchange a particular person’s password, on the different hand it’ll moreover create much less security-sensitive issues admire exchange a particular person’s icon or their most well-liked language. Daemons are applications that escape within the background and create no longer maintain their very admire particular person interface. Then again, the systems settings dialog box can talk with accounts-daemon by the utilization of a message machine known as D-Bus.

System Settings: Users

System Settings: Region & Language

Within the exploit, I disclose the systems settings dialog box to exchange the language. An authorized particular person is allowed to exchange that setting on their very admire account – administrator privileges are no longer required. Below the hood, the systems companies and products dialog box sends the org.freedesktop.Accounts.Person.SetLanguage exclaim to accounts-daemon, by the utilization of D-Bus.

It appears to be like that Ubuntu makes disclose of a modified model of accountsservice that involves some extra code that doesn’t exist within the upstream model maintained by freedesktop. Ubuntu’s patch adds a characteristic named is_in_pam_environment, which appears to be like to be for a file named .pam_environment within the actual person’s home directory and reads it. The denial of provider vulnerability works by making .pam_environment a symlink to /dev/zero. /dev/zero is a a form of file that doesn’t undoubtedly exist on disk. It is some distance supplied by the running machine and behaves admire an infinitely long file in which each byte is zero. When is_in_pam_environment tries to read .pam_environment, it gets redirected to /dev/zero by the symlink, and then gets caught in an infinite loop because of /dev/zero is infinitely long.

There’s a 2nd fragment to this malicious program. The exploit involves crashing accounts-daemon by sending it a SIGSEGV. Completely a venerable particular person shouldn’t be allowed to atomize a machine provider admire that? They shouldn’t, but accounts-daemon inadvertently allows it by dropping privileges correct forward of it starts studying the actual person’s .pam_environment. Shedding privileges technique that the daemon temporarily forfeits its root privileges, adopting as a exchange the lower privileges of the actual person. Sarcastically, that’s intended to be a security precaution, the aim of which is to present protection to the daemon from a malicious particular individual that does one thing admire symlinking their .pam_environment to /and a good deal of others/shadow, which is a highly sensitive file that now not unique users aren’t allowed to read. Sadly, when accomplished incorrectly, it moreover grants the actual person permission to ship the daemon signals, which is why we’re in a role to ship accounts-daemon a SIGSEGV.

gdm3 privilege escalation because of unresponsive accounts-daemon (GHSL-2020-202 / CVE-2020-16125)

GNOME Point to Supervisor (gdm3) is a first-rate ingredient of Ubuntu’s particular person interface. It handles issues admire starting up and stopping particular person sessions when they log inner and outside. It moreover manages the login show camouflage.

gdm3 login screen

But another ingredient handled by gdm3 is the preliminary setup of a brand aloof laptop. Whenever you set up Ubuntu on a brand aloof laptop, one in every of the essential issues that you desire to create is originate a particular person account. The preliminary particular person account desires to be an administrator in pronounce that you’ll want to presumably well presumably also proceed developing the machine, doing issues admire configuring the wifi and installing applications. Here’s a screenshot of the preliminary setup show camouflage (taken from the exploit video):


The dialog box that you scrutinize within the screenshot is a separate application, known as gnome-preliminary-setup. It is some distance precipitated by gdm3 when there are zero particular person accounts on the machine, which is the expected insist all over the preliminary setup of a brand aloof laptop. How does gdm3 review how many users there are on the machine? You doubtlessly already guessed it: by asking accounts-daemon! So what happens if accounts-daemon is unresponsive? The associated code is here.

It makes disclose of D-Bus to demand accounts-daemon how many users there are, but since accounts-daemon is unresponsive, the D-Bus system call fails because of a timeout. (In my testing, the timeout took round 20 seconds.) Due to the timeout error, the code does no longer space the price of priv->have_existing_user_accounts. Sadly, the default price of priv->have_existing_user_accounts is counterfeit, no longer correct, so now gdm3 thinks that there are zero particular person accounts and it launches gnome-preliminary-setup.

I if truth be told maintain a confession to maintain: I stumbled on this malicious program fully by accident. Here’s the message that I despatched to my colleagues at roughly 10pm BST on October 14:

I correct bought LPE by accident, but I'm no longer moderately particular how one can reproduce it. 🤦

Here’s what took keep aside: I had stumbled on just a few denial-of-provider vulnerabilities in accountsservice. I belief to be them low severity, but changed into as soon as writing them up for a vulnerability disclose back to ship to Ubuntu. Around 6pm, I stopped work and closed my laptop lid. Later within the night, I opened the laptop lid and stumbled on that I changed into as soon as locked out of my account. I had been experimenting with the .pam_environment symlink and had forgotten to delete it forward of closing the lid. No immense deal: I feeble Ctrl-Alt-F4 to originate a console, logged in (the console login changed into as soon as no longer plagued by the accountsservice DOS), and killed accounts-daemon with a SIGSEGV. I didn’t must make disclose of sudo because of the privilege dropping vulnerability. The next ingredient I knew, I changed into as soon as taking a search at the gnome-preliminary-setup dialog containers, and changed into as soon as amazed to sight that I changed into as soon as in a role to originate a brand aloof particular person with administrator privileges.

Sadly, when I tried to breed the equal sequence of steps, I couldn’t get it to work again. I checked the machine logs for clues, but there wasn’t essential recordsdata because of I didn’t maintain gdm’s debug messages enabled. The exploit that I even maintain since developed requires the actual person to log out of their account, but I undoubtedly didn’t create that on the night of October 14. So it stays a thriller how I by accident precipitated the malicious program that night.

Later that night, I despatched additional messages to my (US-based) colleagues describing what had took keep aside. Talking in regards to the dialog containers helped to fling my memory about one thing that I had noticed just lately. Many of the machine companies and products that I even had been taking a search at disclose policykit to appear at whether or no longer the client is allowed to question an motion. I had noticed a file known as gnome-preliminary-setup.pkla, which is a policykit configuration file that grants a particular person named gnome-preliminary-setup the flexibility to create a different of security-sensitive issues, akin to mounting filesystems and growing aloof particular person accounts. So I said to my colleagues: “I ponder if it has one thing to create with gnome-preliminary-setup,” and Bas Alberts nearly directly jumped in with a hypothesis that grew to was out to be correct on the cash: “You tricked gdm into launching gnome-preliminary-setup, I reckon, which per chance happens if a gdm session can no longer review that an account already exists.”

After that, it changed into as soon as correct a matter of finding the code in gdm3 that triggers gnome-preliminary-setup and knowing how one can space off it whereas accounts-daemon is unresponsive. I stumbled on that the associated code is precipitated when a particular person logs out.

And that’s the parable of how the quit of my workday changed into as soon as the commence up of an 0-day!

Read More

Recent Content