Vulnerability allows read/write/exec access on Ubuntu 16.04 Screenlock as lightdm user
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
network-manager-applet (Ubuntu) |
Fix Released
|
High
|
Aron Xu | ||
Precise |
Fix Released
|
High
|
Marc Deslauriers | ||
Trusty |
Fix Released
|
High
|
Marc Deslauriers | ||
Xenial |
Fix Released
|
High
|
Marc Deslauriers | ||
Yakkety |
Fix Released
|
High
|
Marc Deslauriers | ||
Zesty |
Fix Released
|
High
|
Aron Xu |
Bug Description
Hi,
We just found a vulnerability in lightdm who could lead us to read files with lightdm permissions, an also write in some directories.
We were able to download a reverse_shell payload and execute it in order to gain a reverse shell as lightdm on a remote system.
The exploitation require a physical access to the locked computeur and the Wi-fi must be turned on. A access point who let you use a certificate to log-in is required as well but it's easy to create one.
Then, it's possible to open a nautilus window and browse directories. We also can open some application such as Firefox which is useful to download malicious binaries :-)
See this video for the PoC :
https:/
---------
Some info about the Ubuntu version I used on the video above :
$ lsb_release -rd
Description: Ubuntu 16.04.2 LTS
Release: 16.04
$ apt-cache policy lightdm
lightdm:
Installé : 1.18.3-0ubuntu1
Candidat : 1.18.3-0ubuntu1
Table de version :
*** 1.18.3-0ubuntu1 500
500 http://
100 /var/lib/
1.
500 http://
----------------
I let you time for correction before publishing the discovery.
If you have any question please let me know!
Regards,
Quentin Biguenet
--
Orange Cyber-Defense
<email address hidden>
CVE References
affects: | unity (Ubuntu) → lightdm (Ubuntu) |
Changed in lightdm (Ubuntu): | |
status: | New → Confirmed |
affects: | lightdm (Ubuntu) → network-manager-applet (Ubuntu) |
summary: |
- Vulnerability in lightdm allow read/write/exec access on Ubuntu 16.04 - Screenlock as lightdm user + Vulnerability allows read/write/exec access on Ubuntu 16.04 Screenlock + as lightdm user |
Changed in network-manager-applet (Ubuntu): | |
assignee: | nobody → Aron Xu (happyaron) |
Changed in network-manager-applet (Ubuntu): | |
importance: | Undecided → High |
Changed in network-manager-applet (Ubuntu Precise): | |
status: | New → Confirmed |
Changed in network-manager-applet (Ubuntu Trusty): | |
status: | New → Confirmed |
Changed in network-manager-applet (Ubuntu Xenial): | |
status: | New → Confirmed |
Changed in network-manager-applet (Ubuntu Yakkety): | |
status: | New → Confirmed |
Changed in network-manager-applet (Ubuntu Precise): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in network-manager-applet (Ubuntu Trusty): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in network-manager-applet (Ubuntu Xenial): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in network-manager-applet (Ubuntu Yakkety): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in network-manager-applet (Ubuntu Precise): | |
importance: | Undecided → High |
Changed in network-manager-applet (Ubuntu Trusty): | |
importance: | Undecided → High |
Changed in network-manager-applet (Ubuntu Xenial): | |
importance: | Undecided → High |
Changed in network-manager-applet (Ubuntu Yakkety): | |
importance: | Undecided → High |
information type: | Private Security → Public Security |
tags: | added: patch |
Hi,
Thanks for reporting this issue.
What version of the unity-greeter package do you have installed, and could you also paste your /var/lib/ polkit- 1/localauthorit y/10-vendor. d/unity- greeter. pkla file?
Thanks.