A vulnerability in GNOME Display Manager (gdm) could allow a typical user to create accounts with elevated permissions, giving a local attacker a path for executing root privileged code.
Although some conditions are necessary, the error is easy to use. The process involves executing a few simple commands in the terminal and modifying general system settings that do not require increased permissions.
Add a new administrator
Exploiting the bug in gdm3 exploits the crash of the component AccountsService, which monitors users available on the system.
In addition to handling "graphical display managers", gdm3 is also responsible for displaying the "user login interface" on operating systems such as Unix.
GitHub security researcher Kevin Backhouse has discovered a simple way to trick an already installed Ubuntu system into performing the account setup routine for a new system. This scenario requires an account Admin for setting up the machine and installing applications.
The researcher found that "gdm3" enabled this sequence when the "accounts-daemon" of the AccountsService component is not running. A typical user should not be able to stop it.
However, Backhouse discovered two vulnerabilities in AccountsService that caused component suspension (CVE-2020-16127) and rejection of user account privileges (CVE-2020-16126), allowing a standard user stop the "daemon" by sending it a delayed segmentation error signal (kill -SIGSEGV).
The delay is necessary to give time for exit from the current period connection.
These two vulnerabilities affect Ubuntu 20.10, Ubuntu 20.04, Ubuntu 18.04 and Ubuntu 16.04.
For CVE-2020-16127, the researcher explains that it was caused by code added to the non-existent upstream version of Ubuntu AccountService maintained by freedesktop.
Activation was possible by making a modification to the Settings of the system that did not require increased permissions.
Without running AccountsService, gdm3 has no indication of the accounts on the machine and provides the option to create a new one with root privileges, as in the case of a installation for the first time.
This error is now referred to as CVE-2020-16125 and is rated 7,2 out of 10 so it is classified as a serious vulnerability. Affects Ubuntu 20.10, Ubuntu 20.04 and Ubuntu 18.04.
Backhouse created a video that shows how easy it was to take advantage of the vulnerability of gdm3 in Ubuntu 20.04:
Backhouse on Monday published separate reports on these three vulnerabilities, which provide technical details. He reported them to Ubuntu and GNOME maintainers on October 17, and fixes are available in the latest code.