How an accidental discovery saw one security researcher gain complete control of Linux devices

Vulnerabilities in Ubuntu could lead to privilege escalation and root access

A security researcher has told how he accidentally achieved local privilege escalation (LPE) on the Ubuntu operating system by chaining two vulnerabilities to gain root access.

Ubuntu, the Debian-based Linux distribution, ships in three versions: desktop, server, and core for IoT devices.

The LPE vulnerability, which only impacts the desktop version, is the result of two bugs – a denial-of-service (DoS) vulnerability and a timeout flaw that was discovered in the user registration process.

When combined, the vulnerabilities allowed a malicious user to create a new administrator account without having the relevant permissions, enabling them to completely take over devices running the OS.

Accidentally on purpose

The two-stage exploit was discovered by GitHub security researcher Kevin Backhouse, who said he stumbled upon it at the end of a working day.

Backhouse had discovered that Ubuntu desktop was vulnerable to a DoS attack, and was writing up a security report, he explained in a GitHub Security Lab blog post yesterday (November 10).

He finished and closed his laptop lid but, when he opened it again, saw that he was locked out of his account.

“I had been experimenting with the .pam_environment symlink and had forgotten to delete it before closing the lid,” Backhouse wrote.

“No big deal: I used Ctrl-Alt-F4 to open a console, logged in (the console login was not affected by the DoS [vulnerability]), and killed accounts-daemon with a SIGSEGV.”

Time out

The second bug impacts Ubuntu’s GNOME Display Manager (gdm3), which handles user sessions and the login screen.

As Backhouse noted, the gnome-initial-setup dialog box is usually triggered when there are no users accounts on the Ubuntu system.

The service checks how many users are on the system using the accounts-daemon, but with the daemon being out of action thanks to the previous vulnerability, the dialog box would be triggered, allowing an attacker to create a new admin profile.

The issue was discovered in version 20.04 and has since been fixed. Users are urged to update to the latest Ubuntu build.

Backhouse released a proof-of-concept video demonstrating the exploit in action:

“And that’s the story of how the end of my workday was the start of an 0-day!” he added.

READ MORE Silver Peak addresses three-pronged RCE exploit in Unity Orchestrator