A security researcher by GitHub made it known recently you have identified a vulnerability (CVE-2020-16125) in GNOME Display Manager (GDM), which is responsible for displaying the login screen.
Combined with another vulnerability in the account tracking service (accounts-daemon), the problem allows the code to run as root. The vulnerability is associated with the incorrect launch of the initial configuration utility if it is impossible to access the account daemon service through DBus.
About vulnerability
An unprivileged user can crash the accounts-daemon process or hang up, what will create the conditions for the gnome-initial-setup utility to be run from GDM, through which a new user can register as a member of the sudo group, that is, have the ability to run programs as root.
Normally, GDM calls gnome-initial-setup to set the first user if there are no accounts in the system. Verification of the existence of accounts is done by contacting accounts-daemon. If the specified process fails, GDM assumes the accounts are missing and starts the initial setup process.
The researcher identified two ways to disrupt the daemon-accounts process- The first (CVE-2020-16126) is due to incorrect privilege reset and the second (CVE-2020-16127) error while processing a ".pam_environment" file.
In addition, another vulnerability was found in daemon-accounts (CVE-2018-14036) caused by incorrect file path checks and allowing arbitrary file content to be read on the system.
The vulnerabilities in accounts-daemon are caused by changes made by Ubuntu developers and do not appear in the main accounts-daemon code of the FreeDesktop project and the Debian package.
The CVE-2020-16127 issue is present in a patch added in Ubuntu that implements the is_in_pam_environment function, which reads the contents of the .pam_environment file from the user's home directory. If you put a symbolic link to / dev / zero instead of this file, the account daemon process hangs on infinite read operations and stops responding to requests through DBus.
It is unusual for a vulnerability in a modern operating system to be so easy to exploit. On some occasions, I have written thousands of lines of code to exploit a vulnerability.
Most modern exploits involve complicated tricks, such as using a memory corruption vulnerability to spoof fake objects in the heap, or replacing a file with a symlink to microsecond precision to exploit a TOCTOU vulnerability.
So these days it is relatively rare to find a vulnerability that does not require coding skills to exploit. I also think the vulnerability is easy to understand, even if you have no prior knowledge of how Ubuntu works or experience in security research.
CVE-2020-16126 vulnerability is caused by another patch which resets the current user's privileges while processing some DBus calls (for example, org.freedesktop.Accounts.User.SetLanguage).
The account daemon process runs normally as root, which prevents a normal user from sending signals.
But thanks to the added patch, process privileges can be reset and the user can end this process by sending a signal. To perform an attack, simply create the conditions to remove privileges (RUID) and send a SIGSEGV or SIGSTOP signal to the account daemon process.
The user ends the graphical session and goes to the text console (Ctrl-Alt-F1).
After the graphical session ends, GDM tries to display the login screen, but hangs when trying to get a response from the accounts-daemon.
The SIGSEGV and SIGCONT signals are sent from the console to the account daemon process, causing it to hang.
You can also send signals before exiting the graphical session, but you must do so with a delay to have time to finish the session and before the signal is sent, GDM had time to start.
The request to the accounts daemon in GDM fails and GDM calls the utility gnome-initial-setup, in whose interface it is sufficient to create a new account.
The vulnerability is fixed in GNOME 3.36.2 and 3.38.2. Exploitation of the vulnerability has been confirmed in Ubuntu and its derivatives.
Source: https://securitylab.github.com