SECURITYUbuntu fixes bugs that standard users can use to...

Ubuntu fixes bugs that standard users can use to become root

-

Ubuntu fixes bugs that standard users can use to become root

Kevin Backhouse, a GitHub researcher, needed only a few commands to show that ordinary users would become administrators with full access to the system.

Ubuntu developers have fixed a number of vulnerabilities that have made it easier for standard users to obtain root privileges.

“This blog post is about a surprisingly straightforward way to increase privileges on Ubuntu,” wrote Kevin Backhouse, a GitHub researcher, in a post published last Tuesday. “With a few simple commands on the terminal and a few clicks of the mouse, a standard user can create an administrator account for himself.”

The first series of commands triggered a denial of service bug in a daemon called accounts service, which, as its name suggests, is used to manage user accounts on the computer.

To do this, Backhouse created a Symlink that linked a file named .pam_environment to / dev / zero, changed the regional language setting, and sent a SIGSTOP to the account service.

With the help of a few extra commands, Backhouse was able to set a timer that gave him enough time to log out of the account before the account service crashed. When done correctly, Ubuntu would restart and open a window that allowed the user to create a new account that, you guessed it, had root privileges.

Video shows the creation of Admin account

Ubuntu fixes bugs that standard users can use to become root

Backhouse said that Ubuntu uses a modified version of the account service that contains code that is not included in the original version. The extra code looks for the .pam_environment file in the home directory. When making the file a symbolic link to / dev / zero, .pam_environment is stuck in an infinite loop.

The second bug involved in the hack resided in the GNOME display manager, which among other things manages user sessions and the login screen. The display manager, which is usually abbreviated as gdm3, also triggers the initial configuration of the operating system when it detects that no user currently exists.

“How does gdm3 check how many users are on the system?” Backhouse asked rhetorically. “You probably already guessed it: asking the daemon accounts! So what happens if the account daemon doesn’t respond? The relevant code is here.”

The vulnerabilities could only be triggered when someone had physical access and a valid account on a vulnerable machine. It only worked on desktop versions of Ubuntu.

The solution

Open-source operating system maintainers fixed the bugs last week. Backhouse, who said he found the vulnerabilities by accident, has much more technical details in the blog post linked above.

More in NUpgrade

Hamza
Hamzahttps://nupgrade.com/
I am a web developer, and digital marketer I love programming, and technologies, always looking for new technologies and new challenges.

Latest Articls

Windows PIN and password: What is the difference, and Which is more secure?

What is the difference between the Windows account PIN and password?Which is more secure: Windows PIN or password? Check now...

How to see which are the most played songs on TikTok?

How to see which are the most played songs on TikTok?TikTok has become a popular video and music platform. so...

The 10 best movies on Netflix, according to IMDb rating

Not sure about what movie to watch? Discover the top ten of The best movies on Netflix, according to...

Which power supply to buy for the PC? Know how to choose the right one

Which power supply to buy for the PC?Have doubts about choosing a font for your computer? Check out our shopping...

How to activate OK Google and use this Google Assistant?

How to activate OK Google and use?Below, see how to activate and use this Google assistant, as well as...

How to use Amazon Echo as a speaker on TV?

How to use Amazon Echo as a speaker on TV?check out how to connect Amazon Echo As A Speaker...

Must Popular

Best off-road GPS apps for android and ios IOS in 2021

Best off-road GPS apps for android and ios iPhone in 2021, best off tail map apps for all platforms and devices phone, iPad, Tablets, laptops…

What is a USB Type-B cable and what is it for? here is what y should know!

If you are looking for, need to buy or even have the curiosity to know what is the USB Type-B cable and what is it for, here you can check these answers.

How To Use “Freeze Frame” effect on TikTok

Step by step to make the "freeze frame" effect on Tik Tok

SCAM: Cicret Bracelet projects 2021 Update

Cicret Bracelet is a wearable bracelet that has a pico projector that projects your smartphone on your skin..., at least that was in the advertising video but is that true or just a scam

Minimum requirements to run Minecraft on PC in 2021

See the minimum and recommended requirements to run Minecraft in 2021 Minecraft on your computer; The most successful game among the new galley.

how to connect ps4 controller to pc: super easy ways

If you love playing games on your PS4 and want the same DualShock controller...

ASUS ZenWiFi AX XT8 Review: The Real Power of Wi-Fi 6

ASUS ZenWiFi AX XT8 Review: The Real Power of Wi-Fi 6ASUS ZenWiFi AX XT8...

Nvidia Creates Low-cost Open Source Ventilator to Help COVID-19 Patients

Bill Dally, the chief scientist at Nvidia developed a low-cost open-source ventilator, which can...

18 TB Capacity HDD from Western Digital

18 TB Capacity HDD from Western DigitalWestern Digital is preparing to add 16 and...

Best wireless headphones under 50$ [2019 black Friday deals]

top picks for the best wireless headphones under 50$ to get the most of the black Friday 2019

What is Spatial Audio and how does it work?

What is Spatial Audio and how does it work?Spatial Audio is an audio technology...

Galaxy Z flip no ordinary smartphone with free access to Youtube premium

“Galaxy Z flip,” Samsung says “this is no ordinary smartphone, It changes everything...

Acer KG241Q 144Hz Monitor Review

One of the most requested reviews here at NUpgrade is finally coming out of...

the 16 best games of the MS-DOS era: play now in the browser for free

the best games of the MS-DOS eraGauntlet (Atari, 1988)Civilization (MicroProse, 1991)Loom (Lucasfilm Games, 1990)Arkanoid...

Lenovo ThinkVision P44w-10 review: a giant monitor for professionals… almost flawless?

The ultra-wide monitor for PC is no longer a technological rarity appreciated only by a...

You might also likeRELATED
Recommended to you