Recently, GitHub security researcher Kevin Backhouse discovered a vulnerability in Ubuntu 20.04 (a long-term support version) that allows any desktop user to add a new sudo user without a system password and gain root access. see details
Backhouse pointed out that the method of exploiting the vulnerability to attack the system is very simple. It only requires a few simple commands to create an administrator account for itself. "It is unusual for vulnerabilities in modern operating systems to be exploited so easily." Backhouse also recorded a video detailing how he exploited this vulnerability to attack the system.
It is reported that the vulnerability exploits two errors in the Ubuntu system. One is accountsservice, a service that manages user accounts on computers, and the other is a bug in the GNOME display manager (gdm3).
accountsservice vulnerability
The daemon of accountservice accounts-daemon is a system service that manages user accounts on the machine. It can create a new user account or change the user’s password, but it can also do some less security sensitive things, such as changing the user’s icon Or the language they like. A daemon is a program that runs in the background and does not have its own user interface. However, the system settings dialog can communicate with the account-daemon through a messaging system called D-Bus.
Ubuntu uses a modified version of accountsservice, which contains some extra code, which does not exist in the upstream version maintained by freedesktop. The Ubuntu patch adds a function called is_in_pam_environment, which looks for a file called .pam_environment in the user's home directory and reads it.
The account-daemon vulnerability works by using .pam_environment as a soft link to /dev/zero. /dev/zero is a special file that does not actually exist on the disk. It is provided by the operating system. It behaves like an infinite file, where every byte is 0. When is_in_pam_environment tries to read .pam_environment, it will be redirected to /dev/zero by the soft link, and then fall into an infinite loop, because /dev/zero is infinitely long.
As a result, the accounts-daemon will lose its root privileges, instead adopt the user's lower privileges, and then send SIGSEGV to the account daemon and crash it.
GNOME vulnerabilities
The GNOME Display Manager (gdm3) is a basic component of the Ubuntu user interface. It handles things such as starting and stopping user sessions when users log in and out, and it also manages the login screen.
Another thing gdm3 handles is the initial setup of the new computer. When you install Ubuntu on a new computer, one of the first things you need to do is to create a user account. The initial user account needs to set up an administrator, so that the user can continue to set up the machine and do things such as configuring wifi and installing applications. Below is a screenshot of the initial setup interface (taken from the vulnerability video).
gnome-initial-setup (initial setup)
The dialog box seen in the screenshot is a separate application called gnome-initial-setup. When the user account on the system is 0, it will be triggered by gdm3, which is also the case when the new computer is initially set up. And gdm3 happens to check the number of accounts on the current machine by asking accounts-daemon. Because the accounts-daemon has crashed in the previous vulnerability, its D-Bus method call for querying the number of accounts failed due to timeout. So now gdm3 considers the user account to be zero and starts gnome-initial-setup.
Backbouse has submitted the vulnerability report to Ubuntu and GNOME maintainers last month, and it has been officially fixed. Users who use Ubuntu + GNOME should also install the repair patch as soon as possible. (Users who are not using GNOME will not be affected temporarily)