Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Ubuntu accountsservice is a package that allows for the querying and manipulating of user account information. This is done via D-Bus interfaces, which is an IPC mechanism used by Linux desktops.

After receiving a D-Bus method call, the D-Bus server normally sends back either a METHOD_RETURN for a proper call or an ERROR message to the client. Since the D-Bus API is expected to follow the standard for the libraries that utilize it, it is super important that this is correct. This is not a return value though; it appears to be set in some internal structure.

What happens if the specification isn't followed? Madness! In the case of user_change_language_authorized_cb, both the error handler and the proper handler were being called. The error handler was called if the $HOME is not mounted and the main path always runs.

Since both of the calls were decrementing the reference counter, this creates the scenario for a use after free. By forcing the $HOME check to fail by deleting the home directory and decrementing the reference counter, another call could access this to cause memory corruption shenanigans.

The command below would cause this to crash:

dbus-send --system --print-reply \ 
--dest=org.freedesktop.Accounts \
/org/freedesktop/Accounts/User`id \
-u` org.freedesktop.Accounts.User.SetLanguage string:'**'

On 23.04 this causes a SIGSEV crash but 22.04 doesn't crash. According to the author, this is difference in the memory allocator for Glib. Additionally, exploitation is said to be difficult to not impossible.