SECURITY Ubuntu fixes bugs that standard users can use to...

Ubuntu fixes bugs that standard users can use to become root

-

Ubuntu fixes bugs that standard users can use to become root

Kevin Backhouse, a GitHub researcher, needed only a few commands to show that ordinary users would become administrators with full access to the system.

Ubuntu developers have fixed a number of vulnerabilities that have made it easier for standard users to obtain root privileges.

“This blog post is about a surprisingly straightforward way to increase privileges on Ubuntu,” wrote Kevin Backhouse, a GitHub researcher, in a post published last Tuesday. “With a few simple commands on the terminal and a few clicks of the mouse, a standard user can create an administrator account for himself.”

The first series of commands triggered a denial of service bug in a daemon called accounts service, which, as its name suggests, is used to manage user accounts on the computer.

To do this, Backhouse created a Symlink that linked a file named .pam_environment to / dev / zero, changed the regional language setting, and sent a SIGSTOP to the account service.

With the help of a few extra commands, Backhouse was able to set a timer that gave him enough time to log out of the account before the account service crashed. When done correctly, Ubuntu would restart and open a window that allowed the user to create a new account that, you guessed it, had root privileges.

Video shows the creation of Admin account

Ubuntu fixes bugs that standard users can use to become root

Backhouse said that Ubuntu uses a modified version of the account service that contains code that is not included in the original version. The extra code looks for the .pam_environment file in the home directory. When making the file a symbolic link to / dev / zero, .pam_environment is stuck in an infinite loop.

The second bug involved in the hack resided in the GNOME display manager, which among other things manages user sessions and the login screen. The display manager, which is usually abbreviated as gdm3, also triggers the initial configuration of the operating system when it detects that no user currently exists.

“How does gdm3 check how many users are on the system?” Backhouse asked rhetorically. “You probably already guessed it: asking the daemon accounts! So what happens if the account daemon doesn’t respond? The relevant code is here.”

The vulnerabilities could only be triggered when someone had physical access and a valid account on a vulnerable machine. It only worked on desktop versions of Ubuntu.

The solution

Open-source operating system maintainers fixed the bugs last week. Backhouse, who said he found the vulnerabilities by accident, has much more technical details in the blog post linked above.

More in NUpgrade

hamzahttps://nupgrade.com/
I am a web developer, and digital marketer I love programming, and technologies, always looking for new technologies and new challenges.

Latest news

How to create an ISO image on a USB stick for Windows and Linux?

If you need to reinstall Windows and Linux on your computer, check out how to create an ISO image on a USB stick and use it.

UNPRECEDENTED! Images show that Mars has the largest canyon in the Solar System

Arizona researchers were able to capture images showing the Valles Marineris, the gorge ten times larger than the Grand Canyon so Mars has the largest canyon in the Solar System.

New notebooks from LG’s Gram line arrive with 11th generation processors

LG announced the arrival of five New notebooks from LG's Gram line with a 16:10 resolution screen and 11th generation processor. Two of them are convertible. Know more!

Players are bothered by microtransactions in Assassins Creed Valhalla

microtransactions in Assassins Creed Valhalla , tends to increase even more with the game receiving a new paid set every two weeks.

Valorant: See the teams qualified for the Ultimasters AOC Main Event

After the Qualifier, the competition already knows (the teams qualified for the Ultimasters AOC Main Event) the eight teams that will dispute the title. The total prize pool will be $2.9K USD.

The best Amazon selling games in the UK and USA 2020

the best Amazon selling games in the United States and the United Kingdom during 2020. The lists are varied, considering titles from all platforms and indicating which platforms have been most successful

Must read

Nvidia Launches GeForce Game Ready Drivers; check out DirectX 12 Ultimate features

Nvidia Launches GeForce Game Ready Drivers; check out DirectX 12...

After tests with BOE fail, Galaxy S21 should use panels manufactured by Samsung

After tests with BOE fail, Galaxy S21 should use...

The story of Apple Watch lasted 9 months at the bottom of a lake

Believe it or not, an Apple Watch lasted 9...

You might also likeRELATED
Recommended to you