Attackers Can Get Root by Crashing Ubuntu’s AccountsService

A local privilege escalation security vulnerability could allow attackers to gain root access on Ubuntu systems by exploiting a double-free memory corruption bug in GNOME’s AccountsService component.

AccountsService is a D-Bus service that helps manipulate and query information attached to the user accounts available on a device.

The security flaw (a memory management bug tracked as CVE-2021-3939) was accidentally spotted by GitHub security researcher Kevin Backhouse while testing an exploit demo for another AccountsService bug that also made it possible to escalate privileges to root on vulnerable devices.

Also Read: 5 Brief Concepts Between Data Protection Directive vs GDPR

“AccountsService could be made to crash or run programs as an administrator if it received a specially crafted command,” an Ubuntu security advisory explains.

Backhouse found that AccountsService incorrectly handled memory during some language setting operations, a flaw that local attackers could abuse to escalate privileges.

The bug only affects Ubuntu’s fork of AccountsService. Versions impacted by this vulnerability include Ubuntu 21.10, Ubuntu 21.04, and Ubuntu 20.04 LTS.

This privilege escalation flaw was fixed by Canonical in November when AccountsService versions 0.6.55-0ubuntu12~20.04.5, 0.6.55-0ubuntu13.3, 0.6.55-0ubuntu14.1 were released. After applying the updates, you will also need to restart the computer to apply the changes.

Not the fastest, but definitely reliable

As he explains, his CVE-2021-3939 proof of concept exploit is slow (could that several hours) and will not work every time. However, it doesn’t matter since it can be executed until successful, seeing that the double-free bug allows crashing AccountsService as many times as needed.

The only restriction to successfully exploiting this bug is that the AccountsService crashes are rate-limited by systemd, blocking attempts to restart it more than five times every 10 seconds.

Also Read: Top 10 Best Freelance Testing Websites That Will Pay You

“It relies on chance and the fact that I can keep crashing accountsservice until it’s successful. But would an attacker care? It gets you a root shell, even if you have to wait a few hours,” Backhouse said.

“To me, it feels like magic that it’s even possible to exploit such a small bug, especially considering all the mitigations that have been added to make memory corruption vulnerabilities harder to exploit. Sometimes, all it takes to get root is a little wishful thinking!”

Further details on how the vulnerability was found and the exploit developed are available in Backhouse’s CVE-2021-3939 writeup.

Earlier this year, the researcher found an authentication bypass vulnerability in the polkit Linux system service that enabled unprivileged attackers to get root shell on most modern distros.