“This blog post is about an astonishingly straightforward way to escalate privileges on Ubuntu,” Kevin Backhouse, a researcher at GitHub, wrote in a post published on Tuesday. “With a few simple commands in the terminal, and a few mouse clicks, a standard user can create an administrator account for themselves.”
The first series of commands triggered a denial-of-service bug in a daemon called accountsservice, which as its name suggests is used to manage user accounts on the computer… With the help of a few extra commands, Backhouse was able to set a timer that gave him just enough time to log out of the account before accountsservice crashed. When done correctly, Ubuntu would restart and open a window that allowed the user to create a new account that — you guessed it — had root privileges…
The second bug involved in the hack resided in the GNOME display manager, which among other things manages user sessions and the login screen. The display manager, which is often abbreviated as gdm3, also triggers the initial setup of the OS when it detects no users currently exist. “How does gdm3 check how many users there are on the system?” Backhouse asked rhetorically. “You probably already guessed it: by asking accounts-daemon! So what happens if accounts-daemon is unresponsive….?”
The vulnerabilities could be triggered only when someone had physical access to, and a valid account on, a vulnerable machine. It worked only on desktop versions of Ubuntu.
They add that the GitHub security research who discovered the bugs “reported them to Ubuntu and GNOME maintainers on October 17, and fixes are available in the latest code.”