Local privilege escalation via guest user login
Bug #1677924 reported by
Tyler Hicks
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Light Display Manager |
Fix Released
|
Critical
|
Unassigned | ||
1.18 |
Fix Released
|
Critical
|
Unassigned | ||
1.20 |
Fix Released
|
Critical
|
Unassigned | ||
1.22 |
Fix Released
|
Critical
|
Unassigned | ||
lightdm (Ubuntu) |
Fix Released
|
Critical
|
Robert Ancell | ||
Xenial |
Fix Released
|
Critical
|
Tyler Hicks | ||
Yakkety |
Fix Released
|
Critical
|
Tyler Hicks | ||
Zesty |
Fix Released
|
Critical
|
Robert Ancell |
Bug Description
It was discovered that a local attacker could watch for lightdm's
guest-account script to create a /tmp/guest-XXXXXX file and then quickly create
the lowercase representation of the guest user's home directory before lightdm
could. This allowed the attacker to have control of the guest user's home
directory and, subsequently, gain control of an arbitrary directory in the
filesystem which could lead to privilege escalation.
CVE References
description: | updated |
information type: | Private Security → Public Security |
Changed in lightdm (Ubuntu Xenial): | |
assignee: | nobody → Tyler Hicks (tyhicks) |
Changed in lightdm (Ubuntu Yakkety): | |
assignee: | nobody → Tyler Hicks (tyhicks) |
Changed in lightdm (Ubuntu Zesty): | |
assignee: | nobody → Robert Ancell (robert-ancell) |
Changed in lightdm: | |
status: | Triaged → Fix Committed |
status: | Fix Committed → Fix Released |
tags: | added: patch |
To post a comment you must log in.
Here's what I think is the most simple change possible to address this issue. Note that, as described in the commit message, it still allows for a local user to DoS the guest login feature.
@Robert, I'll leave the decision up to you if you want to implement a more complete fix for this issue.