The problem stems from the AccountsService component that tracks users on the system.
A vulnerability in the graphical display manager GNOME Display Manager (GDM) could allow a normal user to create accounts with elevated privileges, giving a local attacker the ability to run code with administrator privileges.
The operation process includes running a few simple commands in the terminal and changing general system settings that do not require elevated rights. Exploiting a vulnerability in GDM3 crashes the AccountsService component, which monitors the users available on the system.
Security researcher Kevin Backhouse discovered an easy way to trick an already configured Ubuntu into running an account setup procedure for a new system. Normally, this requires an administrator account to configure the device and install applications. However, the expert found that GDM3 started this sequence when the account-daemon of the AccountsService component was not running. According to him, an ordinary user should not be able to stop this process.
The expert discovered vulnerabilities in AccountsService, due to which the component hangs (CVE-2020-16127) and resets account rights (CVE-2020-16126), allowing a regular user to crash the daemon by sending it a pending segmentation fault signal (kill -SIGSEGV ). The vulnerabilities affect Ubuntu 20.10, Ubuntu 20.04, Ubuntu 18.04 and Ubuntu 16.04.
Vulnerability CVE-2020-16127 was caused by code added to the AccountService version of Ubuntu that does not exist in the original version supported by freedesktop.
“The Ubuntu patch adds the is_in_pam_environment function, which looks for a file named .pam_environment in the user's home directory and reads it. A denial of service vulnerability works by making .pam_environment a symbolic link to /dev/zero./dev/zero - a special file that doesn't actually exist on disk. It is provided by the operating system and behaves like an infinitely long file with each byte equal to zero. When is_in_pam_environment tries to read .pam_environment, it is redirected to / dev / zero by a symbolic link, and then gets stuck in an infinite loop because / dev / zero has no end, ”the expert explained.
It could be activated by making changes to the system settings that did not require elevated privileges. Without the AccountsService running, GDM3 has no idea about the accounts on the device and provides the ability to create a new one with superuser privileges.
The vulnerability was identified as CVE-2020-16125 and rated 7.2 on the CVSS scale. The issue affects Ubuntu 20.10, Ubuntu 20.04 and Ubuntu 18.04 versions.
The researcher informed the Ubuntu and GNOME developers of his findings and the issues have been fixed in the latest version of the code.