Escalating Privileges In Ubuntu 20.04 From User Account

Ubuntu 20.04 is an incredibly popular operating system, perhaps the most popular among the Linux distributions due to its ease-of-use. In general, it’s a fairly trustworthy operating system too, especially since its source code is open. However, an update with the 20.04 revision has led to security researcher [Kevin Backhouse] finding a surprisingly easy way to escalate privileges on this OS, which we would like to note is not great.

The exploit involves two bugs, one in accountservice daemon which handles user accounts on the computer, and another in the GNOME Display Manager which handles the login screen. Ubuntu 20.04 added some code to the daemon which looks at a specific file on the computer, and with a simple symlink, it can be tricked into reading a different file which locks the process into an infinite loop. The daemon also drops its privileges at one point in this process, a normal security precaution, but this allows the user to crash the daemon.

The second bug for this exploit involves how the GNOME Display Manager (gdm3) handles privileges. Normally it would not have administrator privileges, but if the accountservice daemon isn’t running it escalates itself to administrator, where any changes made have administrator privileges. This provides an attacker with an opportunity to create a new user account with administrator privileges.

Of course, this being Ubuntu, we can assume that this vulnerability will be immediately patched. It’s also a good time to point out that the reason that open-source software is inherently more secure is that when anyone can see the source code, anyone can find and report issues like this which allow the software maintainer (or even the user themselves) to make effective changes more quickly.

28 thoughts on “Escalating Privileges In Ubuntu 20.04 From User Account

          1. @zombie: You are not a zombie, you are a freak! :-)
            When I look on the clock dislay of my computer, I want to read local time (like my phone and my watch) and also when I look at file dates/times.

    1. Don’t knock it though, because it does lean that way its really approachable for those just getting into decent OS’s and convenient for the rest of us as it tends to just work in a way other distros make you work at some. Its also being a linux configurable in a way the closed source crap can’t be.

      I use all sorts but frequently do end up with at least one machine running ubuntu, its hard to argue with throw in a bootable installer and have it just work most of the time.

      1. Yep. I am to the point in my life where I want my Workstation/Servers/Laptops OS ‘simple’. I used to use Slack, then RedHat and Fedora Core and finally Fedora, even tried Arch and a few others. But got tired of upgrading every 6 months or so on multiple computers… Mint LTS came along and it was great. But when I jumped on AMD Ryzen early, and Mint didn’t support the platform initially… So installed LUbuntu which did. Out of the box it includes all the applications one normally would use and has on tap just about any package you can think of to download. I can see why people like to use Ubuntu (or one the spins like LUbuntu, KUbuntu). I am now on the 20.04 LTS for the next few years.

    2. I’ve never seen mine do ‘unattended’ updates. I use ‘apt’ to manual update at my convenience. As for services that send data to Amazon…. I wasn’t aware of that. Need to research. All my laptops, desktops, and home server run KUbuntu 20.04 LTS. What’s this Windoze thing that people talk about? :) Kidding.

      1. Quick search says that Ubuntu has dropped the Amazon Web Launcher in 20.04 due to push back by users. A good thing. Personally I don’t ever remember seeing the launcher… Then again I don’t install Gnome (don’t like it) so that may be the reason why.

  1. Ah, breaking the login process makes the login manager think there are no user accounts on the system, triggering the first-boot setup. In retrospect, that’s a rather weak link in itself.

  2. Not very concerning – getting to the part where you make a new admin account requires physical access. But if you have physical access, you can reboot into single-user mode anyway.

    Definitely should be fixed, but nothing I’m losing sleep over.

  3. Does this apply to UbuntuStudio? It uses the XFCE graphic desktop, not gnome. I accidentally downloaded Ubuntu-not-studio 20.04, and couldn’t figure things out and wouldn’t recommend it. UbuntuStudio is a great big package all ready to do music and sound, video and more.

  4. “the reason that open-source software is inherently more secure…..”

    I’ve seen this argument a lot but I’ve also seen countless examples of it being shown as half true. SSH had a vulnerability for what 10 years that the 3 letter agency was leveraging but no one in the open source world found it. Why? Of the millions of open source users how many do we honestly believe are performing routine security audits of every single patch pused into the code of every single open source project they use?

    I recall seeing a lot of papers discussing how if you wanted to exploit peoples systems open source assets may be the easiest target, contribute to the project a hand full of times and people likely will stop intently scrutinizing your work so you can intentionally inject security issues. This isn’t the fault of open source it’s just human nature.

    I’m not trying to argue that closed source is inherently better but let’s just call it what it is. A different problem space.

    1. anon, you’re neglecting the crux of “open-source software is inherently more secure”: the word “more”. You can’t evaluate the truth of this claim by looking at the numerous severe security problems that plague open source software. In order to evaluate this claim you have to also examine closed-source software.

  5. Ubuntu isn’t bad once you tear out snapd and run something other than unity as a window manager. I use it on laptops since it seems to have the least trouble with hardware support and UEFI.

    If you’re truly concerned about security, run OpenBSD.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.