Light Display Manager

Local privilege escalation via guest user login

Series 1.22
Bug #1677924

Bug #1677924 reported by Tyler Hicks on 2017-03-31

262

This bug affects 1 person

	Status	Importance	Assigned to
Light Display Manager	Fix Released	Critical	Unassigned
1.18	Fix Released	Critical	Unassigned
1.20	Fix Released	Critical	Unassigned
1.22	Fix Released	Critical	Unassigned
lightdm (Ubuntu)	Fix Released	Critical	Robert Ancell
Xenial	Fix Released	Critical	Tyler Hicks
Yakkety	Fix Released	Critical	Tyler Hicks
Zesty	Fix Released	Critical	Robert Ancell

Bug Description

It was discovered that a local attacker could watch for lightdm's
guest-account script to create a /tmp/guest-XXXXXX file and then quickly create
the lowercase representation of the guest user's home directory before lightdm
could. This allowed the attacker to have control of the guest user's home
directory and, subsequently, gain control of an arbitrary directory in the
filesystem which could lead to privilege escalation.

See original description

Tags:

Related branches

lp:lightdm

lp:lightdm/1.22

lp:lightdm/1.20

lp:lightdm/1.18

CVE References

2017-7358

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2017-03-31:

Here's what I think is the most simple change possible to address this issue. Note that, as described in the commit message, it still allows for a local user to DoS the guest login feature.

@Robert, I'll leave the decision up to you if you want to implement a more complete fix for this issue.

Changed in lightdm:
status:	New → Confirmed

Revision history for this message

Robert Ancell (robert-ancell) wrote on 2017-03-31:

This bug was introduced in revision 2233 (1.17.1).

Changed in lightdm:
importance:	Undecided → Critical
status:	Confirmed → Triaged
Changed in lightdm (Ubuntu Yakkety):
status:	New → Triaged
Changed in lightdm (Ubuntu Zesty):
status:	Confirmed → Triaged
Changed in lightdm (Ubuntu Xenial):
status:	New → Triaged
Changed in lightdm (Ubuntu Yakkety):
importance:	Undecided → Critical
Changed in lightdm (Ubuntu Xenial):
importance:	Undecided → Critical

Revision history for this message

Robert Ancell (robert-ancell) wrote on 2017-03-31:

@Tyler, I'm happy with the fix you've proposed. I think this feature is not critical enough that solving the DoS issue is urgent.

As far as I know there's no method using a shell script to more intelligently generate the username / directory. To solve that the guest creation script would need to use another language.

Revision history for this message

Robert Ancell (robert-ancell) wrote on 2017-03-31:

Merge proposal that brought this change in (bug 1496939):
https://code.launchpad.net/~lbssousa/lightdm/guest-account-cross-distro/+merge/274761

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2017-03-31:

This is CVE-2017-7358

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2017-03-31:

@Robert, to solve the DoS in that shell script you'd need to first securely create a tmp dir such as /tmp/lightdm-XXXXXX and then create another guest-XXXXXX tmp dir underneath it. The only downside that I can see is that the /tmp/lightdm-XXXXXX directory would not be cleaned up when the guest user ended their session.

Revision history for this message

Robert Ancell (robert-ancell) wrote on 2017-03-31:

@Tyler, I think that change will make the script even more complicated so I'll stick with the proposed patch.

Tyler Hicks (tyhicks) on 2017-04-04

description:

updated

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2017-04-04:

0001-Detect-existing-malicious-guest-user-home-dirs.patch Edit (1.8 KiB, text/plain)

I'm attaching a slightly updated patch for this issue. I had incorrectly given credit to the individual that reported this issue to Ubuntu Security as being the person that discovered the issue. Maor Schwartz of Beyond Security reported the issue but the individual that actually discovered the issue remains anonymous.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2017-04-04:

This bug was fixed in the package lightdm - 1.19.5-0ubuntu1.1

---------------
lightdm (1.19.5-0ubuntu1.1) yakkety-security; urgency=medium

  * SECURITY UPDATE: Directory traversal allowing arbitrary directory
    ownership and privilege escalation (LP: #1677924)
    - debian/guest-account.sh: Detect existing malicious guest user home dirs
      before proceeding with guest user creation
    - CVE-2017-7358

-- Tyler Hicks <email address hidden> Fri, 31 Mar 2017 16:04:04 +0000

Changed in lightdm (Ubuntu Yakkety):
status:	Triaged → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2017-04-04:

#10

This bug was fixed in the package lightdm - 1.18.3-0ubuntu1.1

---------------
lightdm (1.18.3-0ubuntu1.1) xenial-security; urgency=medium

-- Tyler Hicks <email address hidden> Fri, 31 Mar 2017 16:04:04 +0000

Changed in lightdm (Ubuntu Xenial):
status:	Triaged → Fix Released

Tyler Hicks (tyhicks) on 2017-04-04

information type:	Private Security → Public Security
Changed in lightdm (Ubuntu Xenial):
assignee:	nobody → Tyler Hicks (tyhicks)
Changed in lightdm (Ubuntu Yakkety):
assignee:	nobody → Tyler Hicks (tyhicks)
Changed in lightdm (Ubuntu Zesty):
assignee:	nobody → Robert Ancell (robert-ancell)

Robert Ancell (robert-ancell) on 2017-04-04

Changed in lightdm:
status:	Triaged → Fix Committed
status:	Fix Committed → Fix Released

Ubuntu Foundations Team Bug Bot (crichton) on 2017-04-05

tags:

added: patch

Revision history for this message

Launchpad Janitor (janitor) wrote on 2017-04-05:

#11

This bug was fixed in the package lightdm - 1.22.0-0ubuntu2

---------------
lightdm (1.22.0-0ubuntu2) zesty; urgency=medium

-- Robert Ancell <email address hidden> Wed, 05 Apr 2017 10:34:32 +1200

Changed in lightdm (Ubuntu Zesty):
status:	Triaged → Fix Released

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2017-04-21:

#12

As a note to any backporters, the original fix for this bug should include the following change as well:

https://code.launchpad.net/~tyhicks/lightdm/guest-dir-perms/+merge/322906

It is technically optional but definitely recommended.

Revision history for this message

Noam Rathaus (noamr) wrote on 2017-04-21: Re: [Bug 1677924] Re: Local privilege escalation via guest user login

#13

Thanks for the update

---
Thanks,
Noam Rathaus

On Apr 21, 2017 04:15, "Tyler Hicks" <email address hidden> wrote:

> As a note to any backporters, the original fix for this bug should
> include the following change as well:
>
> https://code.launchpad.net/~tyhicks/lightdm/guest-dir-
> perms/+merge/322906
>
> It is technically optional but definitely recommended.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1677924
>
> Title:
> Local privilege escalation via guest user login
>
> Status in Light Display Manager:
> Fix Released
> Status in Light Display Manager 1.18 series:
> Fix Released
> Status in Light Display Manager 1.20 series:
> Fix Released
> Status in Light Display Manager 1.22 series:
> Fix Released
> Status in lightdm package in Ubuntu:
> Fix Released
> Status in lightdm source package in Xenial:
> Fix Released
> Status in lightdm source package in Yakkety:
> Fix Released
> Status in lightdm source package in Zesty:
> Fix Released
>
> Bug description:
> It was discovered that a local attacker could watch for lightdm's
> guest-account script to create a /tmp/guest-XXXXXX file and then quickly
> create
> the lowercase representation of the guest user's home directory before
> lightdm
> could. This allowed the attacker to have control of the guest user's home
> directory and, subsequently, gain control of an arbitrary directory in
> the
> filesystem which could lead to privilege escalation.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/lightdm/+bug/1677924/+subscriptions
>

Revision history for this message

Oliver Grawert (ogra) wrote on 2018-04-22:

#14

This security fix seems to have caused some fallout ... see bug 1733557

Revision history for this message

Noam Rathaus (noamr) wrote on 2018-04-22:

#15

Sorry for being ignorant about this, but I don't know where to look

I looked at Bugzilla for Kernel.org and it doesn't show there

Where should I look?

On Sun, Apr 22, 2018 at 2:24 PM, Oliver Grawert <email address hidden> wrote:
> This security fix seems to have caused some fallout ... see bug 1733557
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1677924
>
> Title:
> Local privilege escalation via guest user login
>
> Status in Light Display Manager:
> Fix Released
> Status in Light Display Manager 1.18 series:
> Fix Released
> Status in Light Display Manager 1.20 series:
> Fix Released
> Status in Light Display Manager 1.22 series:
> Fix Released
> Status in lightdm package in Ubuntu:
> Fix Released
> Status in lightdm source package in Xenial:
> Fix Released
> Status in lightdm source package in Yakkety:
> Fix Released
> Status in lightdm source package in Zesty:
> Fix Released
>
> Bug description:
> It was discovered that a local attacker could watch for lightdm's
> guest-account script to create a /tmp/guest-XXXXXX file and then quickly create
> the lowercase representation of the guest user's home directory before lightdm
> could. This allowed the attacker to have control of the guest user's home
> directory and, subsequently, gain control of an arbitrary directory in the
> filesystem which could lead to privilege escalation.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/lightdm/+bug/1677924/+subscriptions