If the exploit is successful, then you will be presented with a series of dialog boxes which let you create a new user account. Once completed, log out and wait a few seconds for the SIGSEGV to detonate. The SIGSEGV won’t take effect until the SIGCONT is received. Send accounts-daemon a SIGCONT signal to deactivate the SIGSTOP, which you sent earlier.Send accounts-daemon a SIGSEGV signal, which will make it crash.(You just need to give yourself enough time to log out.
This command tells it to run a bash script that does three things: The nohup utility is a simple way to leave a script running after you have logged out. Nohup bash -c "sleep 30s kill -SIGSEGV 597 kill -SIGCONT 597" Here is a description of the exploitation steps, as shown in the demo video.įirst, open a terminal and create a symlink in your home directory: I also think the vulnerability is easy to understand, even if you have no prior knowledge of how Ubuntu works or any security research experience.ĭisclaimer: For someone to exploit this vulnerability, they need access to the graphical desktop session of the system, so this issue affects desktop users only. So these days it’s relatively rare to find a vulnerability that doesn’t require coding skills to exploit. Most modern exploits involve complicated trickery, like using a memory corruption vulnerability to forge fake objects in the heap, or replacing a file with a symlink with microsecond accuracy to exploit a TOCTOU vulnerability.
Ubuntu 14.04.2 priv escalation code#
I have, on some occasions, written thousands of lines of code to exploit a vulnerability.
It’s unusual for a vulnerability on a modern operating system to be this easy to exploit. I have made a short demo video, to show how easy it is. With a few simple commands in the terminal, and a few mouse clicks, a standard user can create an administrator account for themselves. This blog post is about an astonishingly straightforward way to escalate privileges on Ubuntu.
Ubuntu 14.04.2 priv escalation full#
In other words, I don’t want this blog post to give you the impression that Ubuntu is full of trivial security bugs that’s not been my impression so far. Ubuntu is open source, which means that many people have looked at the source code before me, and it seems like all the easy bugs have already been found. I have found (and reported) a few issues, but the majority have been low severity. I have recently spent quite a bit of time looking for security vulnerabilities in Ubuntu’s system services, and it has mostly been an exercise in frustration. I am a fan of Ubuntu, so I would like to help make it as secure as possible. NovemHow to get root on Ubuntu 20.04 by pretending nobody’s /home Kevin Backhouse