upstart

single user (and other) boot methods allow local users to gain access to root

Bug #401503 reported by Michael Gilbert on 2009-07-19

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	upstart	Won't Fix	Undecided	Unassigned
	sysvinit (Debian)	New	Undecided	Unassigned

Bug Description

hello,

there is a method [1] that is described as a means to recover a forgotten password, but it also enables malicious local users to gain root access. this is very bad indeed.

also see debian bug report [2], which hasn't seen much activity for quite some time. however, this is because the conditions for exploitation, in particular not setting a password for the root account, are non-default on debian. these conditions are the default on ubuntu, which makes this so bad.

this vulnerability has been present since at least dapper (and probably since warty); whichever version first introduced no-root.

[1] http://linuxwave.blogspot.com/2008/09/ubuntu-forgotten-password.html
[2] http://bugs.debian.org/517018

See original description

Michael Gilbert (michael-s-gilbert) on 2009-07-19

description:

updated

Scott James Remnant (Canonical) (canonical-scott) on 2009-07-20

security vulnerability:	yes → no
visibility:	private → public

Revision history for this message

Scott James Remnant (Canonical) (canonical-scott) wrote on 2009-07-20:

No computer is secure when the intruder has physical access to the computer, therefore this is not something we actively attempt to control in our default installation; however we do provide options to allow you to secure against it as much as is possible.

Physical access means that the hard drive can be removed, and mounted into another machine to retrieve the data. In order to work around this, you would need to encrypt your filesystem (you can set this up from the alternate installer).

Encrypting your filesystem requires that a passphrase be entered during boot, whether or not the init system is bypassed or the computer booted into single-user mode.

It would also be recommended that you encrypt your swap partition so that forensic debugging cannot be used to obtain data from paged virtual memory.

Securing the boot loader itself, or the system options permitted, is pointless because the user can simply insert a different bootable disk with an alternate boot loader to boot the system however they want. Indeed the Ubuntu Live CD would permit this, no special "kits" are required.

Securing the BIOS would not prevent the data being retrieved by removing the hard drive.

Changed in upstart:
status:	New → Won't Fix

Revision history for this message

Michael Gilbert (michael-s-gilbert) wrote on 2009-08-10:

thank you for this assessment, but it misses the point. here is what i said in the debian bug report:

  there are levels of vulnerability/security. at the lowest level are
  pure software vulnerabilities (such as this issue), which require
  absolutely no effort for a local attacker. however, for a
  hardware-assisted exploit, it requires surrepticious entry, more time,
  and more preparedness (and it looks suspicious, and can be somewhat
  prevented by limiting access to areas via locks, valid users only,
  etc). the user can also increase their security by disabling boot from
  media in the bios, which would force the attacker to spend more time to
  crack open the machine, which is even more suspicious.

  at each level, it takes more and more time for the attacker to exploit
  the vulnerability, thus increasing the chance of detecting them. less
  than a minute for the software exploit, 10s of minutes for hardware
  assisted and longer for resetting the bios.

the point is that it should be "hard" to gain access to an unauthorized machine, even if you have physical access. hence, ubuntu should be shipped in a "hardened" configuration by default. obviously stealing the hard disk is always possible, but by that point, the user knows they have been compromised. they may never know, which is even worse. you mention hard drive encrytion, and that is a great solution, but to protect your users, it must be the default. i can't imagine that more than 1% of your users do this because they mostly stick to the defaults. it cannot be optional.

gaining root this way is way too easy, and it just looks bad that nothing will be done about it. think about it from this perspective: if this were to be prominantly discussed in an article or magazine, how much of a reaction would there be? how much would it concern the readers that there is a known hole exposed on every ubuntu instance that they have ever installed? and how bad does it make ubuntu look compared to fedora, debian, and other distros that are not affected by this by default?

thank you for this assessment, but it misses the point.  here is what i said in the debian bug report:

there are levels of vulnerability/security.  at the lowest level are
  pure software vulnerabilities (such as this issue), which require
  absolutely no effort for a local attacker.  however, for a
  hardware-assisted exploit, it requires surrepticious entry, more time,
  and more preparedness (and it looks suspicious, and can be somewhat
  prevented by limiting access to areas via locks, valid users only,
  etc). the user can also increase their security by disabling boot from
  media in the bios, which would force the attacker to spend more time to
  crack open the machine, which is even more suspicious.

at each level, it takes more and more time for the attacker to exploit
  the vulnerability, thus increasing the chance of detecting them.  less
  than a minute for the software exploit, 10s of minutes for hardware
  assisted and longer for resetting the bios.

the point is that it should be "hard" to gain access to an unauthorized machine, even if you have physical access.  hence, ubuntu should be shipped in a "hardened" configuration by default.  obviously stealing the hard disk is always possible, but by that point, the user knows they have been compromised.  they may never know, which is even worse. you mention hard drive encrytion, and that is a great solution, but to protect your users, it must be the default.  i can't imagine that more than 1% of your users do this because they mostly stick to the defaults. it cannot be optional.

gaining root this way is way too easy, and it just looks bad that nothing will be done about it.  think about it from this perspective:  if this were to be prominantly discussed in an article or magazine, how much of a reaction would there be? how much would it concern the readers that there is a known hole exposed on every ubuntu instance that they have ever installed?  and how bad does it make ubuntu look compared to fedora, debian, and other distros that are not affected by this by default?

Revision history for this message

Scott James Remnant (Canonical) (canonical-scott) wrote on 2009-08-10: Re: [Bug 401503] Re: single user (and other) boot methods allow local users to gain access to root

On Mon, 2009-08-10 at 05:39 +0000, Michael Gilbert wrote:

> the point is that it should be "hard" to gain access to an unauthorized
> machine, even if you have physical access.
>
The Ubuntu Security Team disagree.

If you'd like to change Ubuntu's policies on security on the physical
console, you would need to start a discussion on a ML such as
ubuntu-devel or take it up with the Ubuntu Technical Board.

> gaining root this way is way too easy, and it just looks bad that
> nothing will be done about it. think about it from this perspective:
> if this were to be prominantly discussed in an article or magazine, how
> much of a reaction would there be? how much would it concern the readers
> that there is a known hole exposed on every ubuntu instance that they
> have ever installed? and how bad does it make ubuntu look compared to
> fedora, debian, and other distros that are not affected by this by
> default?
>
Fedora, Debian and all of the other major distributions are shipped in
the same configuration as Ubuntu - they do not secure against physical
console access.

Scott
--
Scott James Remnant
<email address hidden>

Revision history for this message

Michael Gilbert (michael-s-gilbert) wrote on 2009-08-11:

> The Ubuntu Security Team disagree.
>
> If you'd like to change Ubuntu's policies on security on the physical
> console, you would need to start a discussion on a ML such as
> ubuntu-devel or take it up with the Ubuntu Technical Board.

i don't know if its worth the effort. i don't use ubuntu anyway, and its not worth dealing with the friction. however, i am concerned that significant portion of the linux community is affected by this, which is dangerous and could be a PR nightmare, so i feel compelled to do something

> Fedora, Debian and all of the other major distributions are shipped in
> the same configuration as Ubuntu - they do not secure against physical
> console access.

this is not true. fedora and debian do not use a no-root setup by default, which is the flaw that exposes this hole.

there are a couple of straightforward things that can be done to address the issue: forcing grub to be passworded, generating a real scrambled password for root, fixing init to not drop to shell without a valid login, or forcing disk encryption.

Revision history for this message

Scott James Remnant (Canonical) (canonical-scott) wrote on 2009-08-11:

On Tue, 2009-08-11 at 03:00 +0000, Michael Gilbert wrote:

> > Fedora, Debian and all of the other major distributions are shipped in
> > the same configuration as Ubuntu - they do not secure against physical
> > console access.
>
> this is not true. fedora and debian do not use a no-root setup by
> default, which is the flaw that exposes this hole.
>
You can boot both, interrupt the boot loader to display the menu, and
then edit the kernel command-line to include "init=/bin/bash"

This will boot immediately into a root shell bypassing all security
features.

See https://wiki.ubuntu.com/SecurityTeam/Policies#Reasonable%20Physical%
20Access

Scott
--
Have you ever, ever felt like this?
Had strange things happen? Are you going round the twist?

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.