Ubuntu
base-files package

  1. Bug #1867424
  2. Comment #9

Comment 9 for bug 1867424

Revision history for this message
B. (b-deactivatedaccount-deactivatedaccount) wrote :

This is more than just a Telemetry, It as a Trojan in Ubuntu Distro.

A remote code-execution (RCE) vulnerability
in all Ubuntu of the world! Why?

Simple

curl is launched as root (not the best practice!),
and Ubuntu Distro fetch https://motd.ubuntu.com multiple times per day
if someone (like 3-letters or 4 letters) controls this Amazon Web server
knowing the version of curl (provided by the script) exploit any local
known vulnerability present in curl or use a curl zero day it will have
"root" access to any Ubuntu Server or Desktop, Laptop of the world!

Proof of Concept

Add the following before the for calling curl in /etc/update-motd.d/50-motd-news

date +'%Y-%m-%d %H:%M:%S' >> /tmp/test
whoami >> /tmp/test
echo $USER_AGENT >> /tmp/test

wait 12 hours... or 12:00 / 00:00 or reboot

cat /tmp/test

2020-06-05 12:00:00
root
curl/7.68.0-1ubuntu2 Ubuntu/20.04/LTS GNU/Linux/**********-generic/x86_64 Intel(R)/Core(TM)/i7-******/CPU/@/*****GHz uptime/70.55/921.20 cloud_id/unknown