Skip to content

Exploiting Ubuntu 24.04: Uncovering Root Privilege Escalation Vulnerabilities

Original Post: Abusing Ubuntu 24.04 features for root privilege escalation

Summary

The article explores security vulnerabilities in the latest Ubuntu 24.04 release. Key findings and steps taken:

  1. Initial Setup and Findings:

    • Researchers at Snyk Security Labs examined Ubuntu 24.04 for privilege escalation vulnerabilities.
    • A successful method was identified allowing privilege escalation from a default user to root.
  2. Privilege Boundaries in Ubuntu:

    • Common security boundaries in Ubuntu were reviewed, with a primary focus on the DBus RPC framework, which allows different users to interact with privileged processes.
  3. Vulnerabilities in DBus Interface:

    • Vulnerabilities centered around org.opensuse.cupspkhelper, which manages the cups daemon (a printer service), enabling potential privilege escalations.
    • Polkit rules that simplify privilege checks for certain actions can be exploited if an attacker compromises a user session.
  4. Methodology:

    • Tools like strace were used to trace the execution of system calls when interacting with the cups daemon.
    • The ServerSetSettings DBus method allows altering cupsd.conf, causing the cups daemon to restart with configuration changes.
  5. Exploiting the Vulnerability:

    • AppArmor policies restrict certain actions, preventing a direct overwrite of critical files (e.g., /etc/passwd).
    • By manipulating cupsd.conf, researchers eventually controlled cups-files.conf, altering the user and group who execute external programs to expand privileges.
  6. Chaining to Achieve Root:

    • Through manipulated PPD files and the DBus interface, commands were injected.
    • By exploiting wpa_supplicant settings, attackers controlled shared libraries loaded by the service for further privilege escalation.
  7. End-to-End Exploitation Steps:

    • The exploit involves changing cupsd.conf, adding printers with malicious settings, overriding configuration, controlling printing processes, and using wpa_supplicant to achieve root command execution.
  8. Mitigations and Timeline:

    • The vulnerabilities were responsibly disclosed and patched.
    • cups removed dangerous chmod calls and adjusted configuration processing to enhance security.
    • wpa_supplicant enforced safe loading paths for shared libraries to prevent arbitrary code execution.
  9. Conclusion:
    • The article highlights the complexity of finding and exploiting chained vulnerabilities while emphasizing the importance of considering systems holistically.
    • Quick responses from Ubuntu and cups teams improved security, demonstrating effective vulnerability management.

Key Dates

  • 08-May-2024: Initial vulnerability report to Ubuntu.
  • 24-May-2024: Patches proposed and implemented for cups.
  • 06-Aug-2024: Final patches for all identified vulnerabilities released.

Go here to read the Original Post

Leave a Reply

Your email address will not be published. Required fields are marked *

Exit mobile version