Vulnerability allows read/write/exec access on Ubuntu 16.04 Screenlock as lightdm user
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| network-manager-applet (Ubuntu) |
Fix Released
|
High
|
Aron Xu | ||
| Precise |
Fix Released
|
High
|
Marc Deslauriers | ||
| Trusty |
Fix Released
|
High
|
Marc Deslauriers | ||
| Xenial |
Fix Released
|
High
|
Marc Deslauriers | ||
| Yakkety |
Fix Released
|
High
|
Marc Deslauriers | ||
| Zesty |
Fix Released
|
High
|
Aron Xu | ||
Bug Description
Hi,
We just found a vulnerability in lightdm who could lead us to read files with lightdm permissions, an also write in some directories.
We were able to download a reverse_shell payload and execute it in order to gain a reverse shell as lightdm on a remote system.
The exploitation require a physical access to the locked computeur and the Wi-fi must be turned on. A access point who let you use a certificate to log-in is required as well but it's easy to create one.
Then, it's possible to open a nautilus window and browse directories. We also can open some application such as Firefox which is useful to download malicious binaries :-)
See this video for the PoC :
https:/
---------
Some info about the Ubuntu version I used on the video above :
$ lsb_release -rd
Description: Ubuntu 16.04.2 LTS
Release: 16.04
$ apt-cache policy lightdm
lightdm:
Installé : 1.18.3-0ubuntu1
Candidat : 1.18.3-0ubuntu1
Table de version :
*** 1.18.3-0ubuntu1 500
500 http://
100 /var/lib/
1.
500 http://
----------------
I let you time for correction before publishing the discovery.
If you have any question please let me know!
Regards,
Quentin Biguenet
--
Orange Cyber-Defense
<email address hidden>
CVE References
| affects: | unity (Ubuntu) → lightdm (Ubuntu) |
| Changed in lightdm (Ubuntu): | |
| status: | New → Confirmed |
| affects: | lightdm (Ubuntu) → network-manager-applet (Ubuntu) |
| summary: |
- Vulnerability in lightdm allow read/write/exec access on Ubuntu 16.04 - Screenlock as lightdm user + Vulnerability allows read/write/exec access on Ubuntu 16.04 Screenlock + as lightdm user |
| Changed in network-manager-applet (Ubuntu): | |
| assignee: | nobody → Aron Xu (happyaron) |
| Changed in network-manager-applet (Ubuntu): | |
| importance: | Undecided → High |
| Changed in network-manager-applet (Ubuntu Precise): | |
| status: | New → Confirmed |
| Changed in network-manager-applet (Ubuntu Trusty): | |
| status: | New → Confirmed |
| Changed in network-manager-applet (Ubuntu Xenial): | |
| status: | New → Confirmed |
| Changed in network-manager-applet (Ubuntu Yakkety): | |
| status: | New → Confirmed |
| Changed in network-manager-applet (Ubuntu Precise): | |
| assignee: | nobody → Marc Deslauriers (mdeslaur) |
| Changed in network-manager-applet (Ubuntu Trusty): | |
| assignee: | nobody → Marc Deslauriers (mdeslaur) |
| Changed in network-manager-applet (Ubuntu Xenial): | |
| assignee: | nobody → Marc Deslauriers (mdeslaur) |
| Changed in network-manager-applet (Ubuntu Yakkety): | |
| assignee: | nobody → Marc Deslauriers (mdeslaur) |
| Changed in network-manager-applet (Ubuntu Precise): | |
| importance: | Undecided → High |
| Changed in network-manager-applet (Ubuntu Trusty): | |
| importance: | Undecided → High |
| Changed in network-manager-applet (Ubuntu Xenial): | |
| importance: | Undecided → High |
| Changed in network-manager-applet (Ubuntu Yakkety): | |
| importance: | Undecided → High |
| information type: | Private Security → Public Security |
| tags: | added: patch |

Hi,
Thanks for reporting this issue.
What version of the unity-greeter package do you have installed, and could you also paste your /var/lib/ polkit- 1/localauthorit y/10-vendor. d/unity- greeter. pkla file?
Thanks.