Local privilege escalation via guest user login

Bug #1677924 reported by Tyler Hicks
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Light Display Manager
Fix Released
Critical
Unassigned
1.18
Fix Released
Critical
Unassigned
1.20
Fix Released
Critical
Unassigned
1.22
Fix Released
Critical
Unassigned
lightdm (Ubuntu)
Fix Released
Critical
Robert Ancell
Xenial
Fix Released
Critical
Tyler Hicks
Yakkety
Fix Released
Critical
Tyler Hicks
Zesty
Fix Released
Critical
Robert Ancell

Bug Description

It was discovered that a local attacker could watch for lightdm's
guest-account script to create a /tmp/guest-XXXXXX file and then quickly create
the lowercase representation of the guest user's home directory before lightdm
could. This allowed the attacker to have control of the guest user's home
directory and, subsequently, gain control of an arbitrary directory in the
filesystem which could lead to privilege escalation.

Tags: patch
Revision history for this message
Tyler Hicks (tyhicks) wrote :

Here's what I think is the most simple change possible to address this issue. Note that, as described in the commit message, it still allows for a local user to DoS the guest login feature.

@Robert, I'll leave the decision up to you if you want to implement a more complete fix for this issue.

Changed in lightdm:
status: New → Confirmed
Revision history for this message
Robert Ancell (robert-ancell) wrote :

This bug was introduced in revision 2233 (1.17.1).

Changed in lightdm:
importance: Undecided → Critical
status: Confirmed → Triaged
Changed in lightdm (Ubuntu Yakkety):
status: New → Triaged
Changed in lightdm (Ubuntu Zesty):
status: Confirmed → Triaged
Changed in lightdm (Ubuntu Xenial):
status: New → Triaged
Changed in lightdm (Ubuntu Yakkety):
importance: Undecided → Critical
Changed in lightdm (Ubuntu Xenial):
importance: Undecided → Critical
Revision history for this message
Robert Ancell (robert-ancell) wrote :

@Tyler, I'm happy with the fix you've proposed. I think this feature is not critical enough that solving the DoS issue is urgent.

As far as I know there's no method using a shell script to more intelligently generate the username / directory. To solve that the guest creation script would need to use another language.

Revision history for this message
Robert Ancell (robert-ancell) wrote :
Revision history for this message
Tyler Hicks (tyhicks) wrote :

This is CVE-2017-7358

Revision history for this message
Tyler Hicks (tyhicks) wrote :

@Robert, to solve the DoS in that shell script you'd need to first securely create a tmp dir such as /tmp/lightdm-XXXXXX and then create another guest-XXXXXX tmp dir underneath it. The only downside that I can see is that the /tmp/lightdm-XXXXXX directory would not be cleaned up when the guest user ended their session.

Revision history for this message
Robert Ancell (robert-ancell) wrote :

@Tyler, I think that change will make the script even more complicated so I'll stick with the proposed patch.

Tyler Hicks (tyhicks)
description: updated
Revision history for this message
Tyler Hicks (tyhicks) wrote :

I'm attaching a slightly updated patch for this issue. I had incorrectly given credit to the individual that reported this issue to Ubuntu Security as being the person that discovered the issue. Maor Schwartz of Beyond Security reported the issue but the individual that actually discovered the issue remains anonymous.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm - 1.19.5-0ubuntu1.1

---------------
lightdm (1.19.5-0ubuntu1.1) yakkety-security; urgency=medium

  * SECURITY UPDATE: Directory traversal allowing arbitrary directory
    ownership and privilege escalation (LP: #1677924)
    - debian/guest-account.sh: Detect existing malicious guest user home dirs
      before proceeding with guest user creation
    - CVE-2017-7358

 -- Tyler Hicks <email address hidden> Fri, 31 Mar 2017 16:04:04 +0000

Changed in lightdm (Ubuntu Yakkety):
status: Triaged → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm - 1.18.3-0ubuntu1.1

---------------
lightdm (1.18.3-0ubuntu1.1) xenial-security; urgency=medium

  * SECURITY UPDATE: Directory traversal allowing arbitrary directory
    ownership and privilege escalation (LP: #1677924)
    - debian/guest-account.sh: Detect existing malicious guest user home dirs
      before proceeding with guest user creation
    - CVE-2017-7358

 -- Tyler Hicks <email address hidden> Fri, 31 Mar 2017 16:04:04 +0000

Changed in lightdm (Ubuntu Xenial):
status: Triaged → Fix Released
Tyler Hicks (tyhicks)
information type: Private Security → Public Security
Changed in lightdm (Ubuntu Xenial):
assignee: nobody → Tyler Hicks (tyhicks)
Changed in lightdm (Ubuntu Yakkety):
assignee: nobody → Tyler Hicks (tyhicks)
Changed in lightdm (Ubuntu Zesty):
assignee: nobody → Robert Ancell (robert-ancell)
Changed in lightdm:
status: Triaged → Fix Committed
status: Fix Committed → Fix Released
tags: added: patch
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm - 1.22.0-0ubuntu2

---------------
lightdm (1.22.0-0ubuntu2) zesty; urgency=medium

  * SECURITY UPDATE: Directory traversal allowing arbitrary directory
    ownership and privilege escalation (LP: #1677924)
    - debian/guest-account.sh: Detect existing malicious guest user home dirs
      before proceeding with guest user creation
    - CVE-2017-7358

 -- Robert Ancell <email address hidden> Wed, 05 Apr 2017 10:34:32 +1200

Changed in lightdm (Ubuntu Zesty):
status: Triaged → Fix Released
Revision history for this message
Tyler Hicks (tyhicks) wrote :

As a note to any backporters, the original fix for this bug should include the following change as well:

  https://code.launchpad.net/~tyhicks/lightdm/guest-dir-perms/+merge/322906

It is technically optional but definitely recommended.

Revision history for this message
Noam Rathaus (noamr) wrote : Re: [Bug 1677924] Re: Local privilege escalation via guest user login

Hi

Thanks for the update

---
Thanks,
Noam Rathaus

On Apr 21, 2017 04:15, "Tyler Hicks" <email address hidden> wrote:

> As a note to any backporters, the original fix for this bug should
> include the following change as well:
>
> https://code.launchpad.net/~tyhicks/lightdm/guest-dir-
> perms/+merge/322906
>
> It is technically optional but definitely recommended.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1677924
>
> Title:
> Local privilege escalation via guest user login
>
> Status in Light Display Manager:
> Fix Released
> Status in Light Display Manager 1.18 series:
> Fix Released
> Status in Light Display Manager 1.20 series:
> Fix Released
> Status in Light Display Manager 1.22 series:
> Fix Released
> Status in lightdm package in Ubuntu:
> Fix Released
> Status in lightdm source package in Xenial:
> Fix Released
> Status in lightdm source package in Yakkety:
> Fix Released
> Status in lightdm source package in Zesty:
> Fix Released
>
> Bug description:
> It was discovered that a local attacker could watch for lightdm's
> guest-account script to create a /tmp/guest-XXXXXX file and then quickly
> create
> the lowercase representation of the guest user's home directory before
> lightdm
> could. This allowed the attacker to have control of the guest user's home
> directory and, subsequently, gain control of an arbitrary directory in
> the
> filesystem which could lead to privilege escalation.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/lightdm/+bug/1677924/+subscriptions
>

Revision history for this message
Oliver Grawert (ogra) wrote :

This security fix seems to have caused some fallout ... see bug 1733557

Revision history for this message
Noam Rathaus (noamr) wrote :

Sorry for being ignorant about this, but I don't know where to look

I looked at Bugzilla for Kernel.org and it doesn't show there

Where should I look?

On Sun, Apr 22, 2018 at 2:24 PM, Oliver Grawert <email address hidden> wrote:
> This security fix seems to have caused some fallout ... see bug 1733557
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1677924
>
> Title:
> Local privilege escalation via guest user login
>
> Status in Light Display Manager:
> Fix Released
> Status in Light Display Manager 1.18 series:
> Fix Released
> Status in Light Display Manager 1.20 series:
> Fix Released
> Status in Light Display Manager 1.22 series:
> Fix Released
> Status in lightdm package in Ubuntu:
> Fix Released
> Status in lightdm source package in Xenial:
> Fix Released
> Status in lightdm source package in Yakkety:
> Fix Released
> Status in lightdm source package in Zesty:
> Fix Released
>
> Bug description:
> It was discovered that a local attacker could watch for lightdm's
> guest-account script to create a /tmp/guest-XXXXXX file and then quickly create
> the lowercase representation of the guest user's home directory before lightdm
> could. This allowed the attacker to have control of the guest user's home
> directory and, subsequently, gain control of an arbitrary directory in the
> filesystem which could lead to privilege escalation.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/lightdm/+bug/1677924/+subscriptions

--

Thanks,
Noam Rathaus
Beyond Security

PGP Key ID: 7EF920D3C045D63F (Exp 2019-03)

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Noam, ogra's comment on bug 1733557 is for: https://bugs.launchpad.net/ubuntu/+source/unity/+bug/1733557

It automatically gets hyperlinked when viewing https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1677924 directly.

Thanks

Revision history for this message
Tyler Hicks (tyhicks) wrote :

@ogra it isn't obvious how the fix for this bug could have caused bug 1733557. Can you elaborate?

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.