Abusing Ubuntu 24.04 features for root privilege escalation (opens in new tab)

(snyk.io)

189 pointssaltypal1y ago77 comments

77 comments

24.04 also ships with a footgun that keeps PasswordAuthentication enabled even if you edit /etc/ssh/sshd_config. It adds a /etc/ssh/sshd_config.d/50-cloud-init.conf that force overrides any PasswordAuthentication settings you have configured in /etc/ssh/sshd_config.

See here: https://news.ycombinator.com/item?id=42133181

HumanOstrich1y ago

A better practice is to use the `.d/` convention as intended - so you can have overrides and customizations without having to edit the OS-managed /etc/ssh/sshd_config file and fight it if an OS upgrade changes it.

Edit: It's not really a mistake on Ubuntu's part, and is common in other distros for overriding upstream defaults[1].

[1]: https://askubuntu.com/a/1516347

Fire-Dragon-DoL1y ago

There is a bug with that where you cannot "redefine" the ftp command used (I think it was that, or the group declaration), so in the end I had to edit the configuration manually either way

homebrewer1y ago

The proposed solution is bad, the file will be restored by the package manager at some point. Always prefix your override files with '99-' or 'zz-', this would have prevented the problem.

wahern1y ago

For OpenSSH configuration the first directive controls, not the last. So if you want to set an option make sure your include filename comes lexically earlier, not later. This is why the Include directive is at the top of distro-installed /etc/ssh/sshd_config. You can verify your server configuration using `sshd -T`, and a client configuration using `ssh -G`; they dump the resolved configuration to stdout.

SoftTalker1y ago

I don't have /etc/ssh/sshd_config.d/50-cloud-init.conf on my ubuntu 24.04 machines. What creates it? Is it a clean-install vs. upgrade difference perhaps?

vbezhenar1y ago

This file is created when the server is provisioned with cloud-init. For example when you use https://cloud-images.ubuntu.com/ as a template image to create your VM. For these cases you would need to supply cloud-init config via separate means (openstack user-data or just secondary mounted ISO) and cloud-init would perform post-install tasks like configuring users, passwords, ssh keys, etc. If you just install your machine from ISO, cloud-init is not used.

I guess that many hosters will use cloud-init for their VPS offerings "under-the-hood". Usually they'll generate password and mail it to you, so obviously ssh password should be allowed for this case.

HumanOstrich1y ago

Unfortunately, one possibility is the user chose "enable SSH password authentication" during the install [1]. Or it's a cloud instance from a provider that provisions instances with a password.

[1]: https://askubuntu.com/a/1440509

d0mine1y ago

It is Ubuntu issue, it is cloud-init issue. You can get the same result on other distros provisioned by cloud-init.

MortyWaves1y ago

Now I definitely feel glad that I decided on moving back to Debian for servers.

vbezhenar1y ago

It works identically for debian. Just today I configured debian server with cloud-init and it created absolutely the same file.

gazunklenut1y ago

Pretty sure this exists on Debian too

3 more replies

HumanOstrich1y ago

Err, why? Nothing is actually broken with Ubuntu 24.04. The issue GP is describing is just a lack of understanding of how config files have worked on Linux for decades.

On top of that, this issue doesn't even "ship with 24.04". GP probably chose to enable password auth in SSH during installation, or they used a cloud provider that provisions instances with passwords and overrides the default.

2 more replies

amelius1y ago

Does anyone know how to turn off auto updates on Ubuntu 22?

I thought I fixed it, but apparently not. It is driving me crazy.

1 more reply

charliebwrites1y ago

Is this true for Ubuntu Server 24 as well?

Was thinking of upgrading but not if I can’t configure SSH to be key only

HumanOstrich1y ago

There is nothing broken with Ubuntu, just people not understanding how configuration files work in Linux, choosing to enable password auth in SSH during installation, or using a cloud provider that provisions instances with passwords and overrides the default.

lathiat1y ago

You can still configure it to be key only, you just need to put your own override as a file in /etc/ssh/sshd_config.d/ rather than /etc/ssh/sshd_config. The files are read ins order, so your filename needs to sort after the 50-cloud-init.conf file.

This would work: echo "PasswordAuthentication no" > /etc/ssh/sshd_config.d/60-password-auth.conf

1 more reply

yrro1y ago

Am I crazy or have people lost the ability to read documentation?

yrro1y ago

(specifically <https://cloudinit.readthedocs.io/en/latest/reference/modules...>)

xarope1y ago

omg I just disabled this on a major server that was just upgraded to 24.04.

Had to check my other VMs. Luckily most of them are debian or 22.04 (for now).

BonusPlay1y ago

Linux Local Privilege Escalation, but the attacker has to be in sudo group in the first place.

Great read, but this feels like academic research. Technically correct, but impractical at best.

nneonneo1y ago

To be precise: you don't need to be in the sudo group, but in the lpadmin group. I'm not familiar with how Ubuntu groups are set up, but I guess it's likely that lpadmin is only granted to administrators by default.

That said, I'm guessing people aren't expecting lpadmin to mean a full privilege escalation to root.

There are two bugs here: one in cups, which allows it to chmod anything 777 (doesn't properly check for symlinks, or for the failure of bind), and one in wpa_supplicant, which lets it load arbitrary .so files as root. However, I suspect that even if these bugs are fixed, having access to lpadmin will still be a powerful enough primitive to escalate to root given the rather sizable attack surface of cups.

justmarc1y ago

It became crystal clear that cups is a can of worms, and it would be prudent to completely replace it with with a new solution built from the ground up, ideally using modern tools and standards.

7 more replies

rlpb1y ago

To expand on this: if the user is in the sudo group, they have explicit permission to execute anything they like as root. If someone wants a user to not be able to do this, they don't put that user in the sudo group. As far as I can tell from the write-up, if you remove a user from the sudo group because you don't want them to have that privilege then this "exploit" won't work.

The bugs found look correct and have security implications, but what is demonstrated is therefore not really "root privilege escalation" since it applies only to users who already have that privilege.

LeifCarrotson1y ago

They can execute anything they like as root... by entering their password.

This post shows a way that clever code can execute anything it likes as root without knowing the user's password. That seems pretty significant to me.

3 more replies

dTal1y ago

If that is your attitude, why bother with the sudo group at all? Just run as root.

(For what it's worth, I think most people would not lose much security from running as root, and the obsession with sudo is so much security theater, for exactly this sort of reason.)

chgs1y ago

User accounts and sudo does auditing of who is doing what. They’re are other ways, sure, but checking auth.log is the simplest.

And while lpadmin users can escalate, I’m more interested in escalations from services like web servers or whatever, running as low priv users. I use sudo to allow scripts running as my web server to run specific limited privileged programs as a simple layer of defence.

vbezhenar1y ago

It's security cargo cult.

Use sudo instead of root. Change ssh port. Disable ssh passwords. Use some port knocking schemes or fail2ban. Close all ports with firewall. Some of those requirements might come from some stupid complicance rules, but usually they just come from rumors and lack of clear understanding of threat model. And sometimes they might even slightly reduce security gurantees (like changing ssh port to 10022, there's actually a security reason why only root can bind to <1024 port and by changing it to higher port you lose some tiny protection that unix greybeards invented for you).

I'm not saying that all those measures are useless, in fact I often change ssh port myself. But I'm doing that purely to reduce log spam, not because that's necessary for security. Configuring firewall might be necessary in rare cases when brain-dead software must listen on 0.0.0.0 but must not be available outside. But that's not something given and should be decided in case-by-case basis, rather than applied blindly.

nneonneo1y ago

Honestly, sudo’s value is really sanity, not security.

The first time you use certain flavors of sudo, you get a nice little message which reminds you why sudo exists:

  We trust you have received the usual lecture from the local System
  Administrator. It usually boils down to these three things:
  
      #1) Respect the privacy of others.
      #2) Think before you type.
      #3) With great power comes great responsibility.

Realistically, sudo exists to remind a user of these points. That is: by needing to type “sudo” before a command, you’re being reminded to pay closer attention that you’re not violating another user’s privacy or doing something that’s going to break your system.

1 more reply

JackSlateur1y ago

You are correct Sudo is not that useful, running as root is actually nice

Because in both cases, you must auditd, and then you understand that sudo adds few values

fred_is_fred1y ago

That was a great read. The way the author builds the exploit, brick by brick, is well done and not all all obvious or clear. Each step by itself is somewhat concerning but there's no Eureka! moment until very late.

schoen1y ago

I wonder if there's a tool to create dependency graphs for these dbus and polkit interactions, ideally to better audit those that seem to cross interesting trust boundaries.

trod12341y ago

Not surprising, Ubuntu has suffered a wide array of issues going all the way back to their releases following 18.04 LTS.

D-BUS has long been targeted by attackers for the exact reasons the author goes into (its fairly common knowledge in some circles). Not just because of the difference in security contexts but also because of the lack of visibility on these channels with OOB configurations for logging/monitoring.

D-BUS Activation has also been targeted before, many times for its ability to effectively re-parent a process under different pids/names/users, and hiding that process is usually not that hard using a simple mount bind on the associated /proc/pid and mounts directory post exploitation.

With the poisoning of the Ubuntu repository (with fixup scripts to re-enable snap), their security posture became untenable, but has only gotten worse over time.

sheerun1y ago

The only feedback I get when installing d-spy is "Uses System Services", and "Uses Session Services", which means nothing to me as a user, and yet it allows program to enumerate all programs I use and as it turns out even hack my computer. Other platforms solved this with something like "developer mode", iOS, Android, Meta, etc. I shouldn't be able to install this app without confirming developer-mode-only permissions. As for this particular app it is offline, yes, but dbus allows for cross-app communication, so no more

nneonneo1y ago

You’re running desktop Linux - your whole system is permanently in “developer mode”. That’s kind of the point? Windows and macOS don’t have “developer mode” either, at least not to the extent seen in the mobile OSes.

They’re very different models of computing.

Vilian1y ago

The only way to not be in "developer mode" is to install something like fedora atomic, then everything is harder lol

sylware1y ago

It is time to stop that: there is no "security", this is a fantasy which does not exist. Nowadays, anybody saying otherwise is trying to sell you something.

The only real security is to protect basic users from themselves, namely breaking their systems. That's it. (rm -Rf /)

j / k navigate · click thread line to collapse

77 comments

samlinnfer1y ago

See here: https://news.ycombinator.com/item?id=42133181

HumanOstrich1y ago

Edit: It's not really a mistake on Ubuntu's part, and is common in other distros for overriding upstream defaults[1].

[1]: https://askubuntu.com/a/1516347

Fire-Dragon-DoL1y ago

There is a bug with that where you cannot "redefine" the ftp command used (I think it was that, or the group declaration), so in the end I had to edit the configuration manually either way

homebrewer1y ago

The proposed solution is bad, the file will be restored by the package manager at some point. Always prefix your override files with '99-' or 'zz-', this would have prevented the problem.

wahern1y ago

SoftTalker1y ago

I don't have /etc/ssh/sshd_config.d/50-cloud-init.conf on my ubuntu 24.04 machines. What creates it? Is it a clean-install vs. upgrade difference perhaps?

vbezhenar1y ago

HumanOstrich1y ago

Unfortunately, one possibility is the user chose "enable SSH password authentication" during the install [1]. Or it's a cloud instance from a provider that provisions instances with a password.

[1]: https://askubuntu.com/a/1440509

d0mine1y ago

It is Ubuntu issue, it is cloud-init issue. You can get the same result on other distros provisioned by cloud-init.

MortyWaves1y ago

Now I definitely feel glad that I decided on moving back to Debian for servers.

vbezhenar1y ago

It works identically for debian. Just today I configured debian server with cloud-init and it created absolutely the same file.

gazunklenut1y ago

Pretty sure this exists on Debian too

3 more replies

HumanOstrich1y ago

Err, why? Nothing is actually broken with Ubuntu 24.04. The issue GP is describing is just a lack of understanding of how config files have worked on Linux for decades.

2 more replies

amelius1y ago

Does anyone know how to turn off auto updates on Ubuntu 22?

I thought I fixed it, but apparently not. It is driving me crazy.

1 more reply

charliebwrites1y ago

Is this true for Ubuntu Server 24 as well?

Was thinking of upgrading but not if I can’t configure SSH to be key only

HumanOstrich1y ago

lathiat1y ago

This would work: echo "PasswordAuthentication no" > /etc/ssh/sshd_config.d/60-password-auth.conf

1 more reply

yrro1y ago

Am I crazy or have people lost the ability to read documentation?

yrro1y ago

(specifically <https://cloudinit.readthedocs.io/en/latest/reference/modules...>)

xarope1y ago

omg I just disabled this on a major server that was just upgraded to 24.04.

Had to check my other VMs. Luckily most of them are debian or 22.04 (for now).

BonusPlay1y ago

Linux Local Privilege Escalation, but the attacker has to be in sudo group in the first place.

Great read, but this feels like academic research. Technically correct, but impractical at best.

nneonneo1y ago

That said, I'm guessing people aren't expecting lpadmin to mean a full privilege escalation to root.

justmarc1y ago

It became crystal clear that cups is a can of worms, and it would be prudent to completely replace it with with a new solution built from the ground up, ideally using modern tools and standards.

7 more replies

rlpb1y ago

LeifCarrotson1y ago

They can execute anything they like as root... by entering their password.

This post shows a way that clever code can execute anything it likes as root without knowing the user's password. That seems pretty significant to me.

3 more replies

dTal1y ago

If that is your attitude, why bother with the sudo group at all? Just run as root.

(For what it's worth, I think most people would not lose much security from running as root, and the obsession with sudo is so much security theater, for exactly this sort of reason.)

chgs1y ago

User accounts and sudo does auditing of who is doing what. They’re are other ways, sure, but checking auth.log is the simplest.

vbezhenar1y ago

It's security cargo cult.

nneonneo1y ago

Honestly, sudo’s value is really sanity, not security.

The first time you use certain flavors of sudo, you get a nice little message which reminds you why sudo exists:

  We trust you have received the usual lecture from the local System
  Administrator. It usually boils down to these three things:
  
      #1) Respect the privacy of others.
      #2) Think before you type.
      #3) With great power comes great responsibility.

1 more reply

JackSlateur1y ago

You are correct Sudo is not that useful, running as root is actually nice

Because in both cases, you must auditd, and then you understand that sudo adds few values

fred_is_fred1y ago

schoen1y ago

I wonder if there's a tool to create dependency graphs for these dbus and polkit interactions, ideally to better audit those that seem to cross interesting trust boundaries.

trod12341y ago

Not surprising, Ubuntu has suffered a wide array of issues going all the way back to their releases following 18.04 LTS.

With the poisoning of the Ubuntu repository (with fixup scripts to re-enable snap), their security posture became untenable, but has only gotten worse over time.

sheerun1y ago

nneonneo1y ago

They’re very different models of computing.

Vilian1y ago

The only way to not be in "developer mode" is to install something like fedora atomic, then everything is harder lol

sylware1y ago

It is time to stop that: there is no "security", this is a fantasy which does not exist. Nowadays, anybody saying otherwise is trying to sell you something.

The only real security is to protect basic users from themselves, namely breaking their systems. That's it. (rm -Rf /)

j / k navigate · click thread line to collapse