Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

An LPE on a Linux machine? Who would have thought that! Linux OS's are typically secure. This privilege escalation ONLY exists within the Desktop version of Ubuntu & not the server version.

The first bug is a denial of service within the accountservice daemon. The user sets the file .pam_environment to be a symlink to /dev/null. This makes the file infinitely long when trying to read it.

When the daemon decides to read this file, it DROPS the privileges down to the same as the user in order to prevent privilege escalation. Because of this privilege drop, there we have the ability to send signals to this process! What signal should we send? How about SIGSTOP? This will pause the running process.

Now, he is the real kicker. You log out of the current user! Once at this screen, we wait until the user dialog box pops up to create a new user. Why does this happen?

When there are no users on the system, GNOME is instructed to create a new user. It knows how many users there are by talking to the accountservice daemon!

The bug is in when the accountservice daemon is unresponsive and a timeout occurs. With this code path, the field that matters if knowing if a account exists for a user is the field priv->have_existing_user_accounts. However, this defaults to false! So, if the timeout occurs when trying to talk to the service daemon, then the functionality acts like there are no users on the system!

In a nutshell, this stops the accountservice daemon by first putting it into an infinite loop to drop the privileges then stopping the service with a signal. Then, by logging out and trying to log back in, the unresponsiveness of this daemon allows for the attacker to restart the user initialization process.

I love this type of finding! When I see bugs like this I wonder "What could I do better in order to find this bug in the future?". The crux of this bug was that an insecure state was used in the initialization of a field that was relying on a time-delimited action to fill it out. In the future, look for bad/insecure initialization of values.

By the way, the author found this bug by accident and it took them some help in order to find the root cause of the issue. As I would say, you miss 100% of the shots you don't take! At least by trying this guy gave himself a chance to get lucky.