Original Post: Abusing Ubuntu 24.04 features for root privilege escalation
Summary
The article explores security vulnerabilities in the latest Ubuntu 24.04 release. Key findings and steps taken:
-
Initial Setup and Findings:
- Researchers at Snyk Security Labs examined Ubuntu 24.04 for privilege escalation vulnerabilities.
- A successful method was identified allowing privilege escalation from a default user to root.
-
Privilege Boundaries in Ubuntu:
- Common security boundaries in Ubuntu were reviewed, with a primary focus on the DBus RPC framework, which allows different users to interact with privileged processes.
-
Vulnerabilities in DBus Interface:
- Vulnerabilities centered around
org.opensuse.cupspkhelper
, which manages thecups
daemon (a printer service), enabling potential privilege escalations. - Polkit rules that simplify privilege checks for certain actions can be exploited if an attacker compromises a user session.
- Vulnerabilities centered around
-
Methodology:
- Tools like
strace
were used to trace the execution of system calls when interacting with thecups
daemon. - The
ServerSetSettings
DBus method allows alteringcupsd.conf
, causing thecups
daemon to restart with configuration changes.
- Tools like
-
Exploiting the Vulnerability:
- AppArmor policies restrict certain actions, preventing a direct overwrite of critical files (e.g.,
/etc/passwd
). - By manipulating
cupsd.conf
, researchers eventually controlledcups-files.conf
, altering the user and group who execute external programs to expand privileges.
- AppArmor policies restrict certain actions, preventing a direct overwrite of critical files (e.g.,
-
Chaining to Achieve Root:
- Through manipulated PPD files and the DBus interface, commands were injected.
- By exploiting
wpa_supplicant
settings, attackers controlled shared libraries loaded by the service for further privilege escalation.
-
End-to-End Exploitation Steps:
- The exploit involves changing
cupsd.conf
, adding printers with malicious settings, overriding configuration, controlling printing processes, and usingwpa_supplicant
to achieve root command execution.
- The exploit involves changing
-
Mitigations and Timeline:
- The vulnerabilities were responsibly disclosed and patched.
cups
removed dangerouschmod
calls and adjusted configuration processing to enhance security.wpa_supplicant
enforced safe loading paths for shared libraries to prevent arbitrary code execution.
- Conclusion:
- The article highlights the complexity of finding and exploiting chained vulnerabilities while emphasizing the importance of considering systems holistically.
- Quick responses from Ubuntu and
cups
teams improved security, demonstrating effective vulnerability management.
Key Dates
- 08-May-2024: Initial vulnerability report to Ubuntu.
- 24-May-2024: Patches proposed and implemented for
cups
. - 06-Aug-2024: Final patches for all identified vulnerabilities released.
Go here to read the Original Post