A local privilege escalation security flaw in GNOME’s AccountsService component can lead attackers to gain root access to Ubuntu systems by leveraging a double-free memory corruption bug. AccountsService is a D-Bus service that allows you to manage and query data associated with accounts.
A GitHub security researcher, Kevin Backhouse, discovered the security vulnerability (a memory management problem classified as CVE-2021-3939) while testing an attack demo for another AccountsService fault that allowed users to elevate root access.
According to an Ubuntu security alert, “AccountsService could be made to crash or run programs as an administrator if it received a specially crafted command.”
Backhouse found that AccountsService handled memory inaccurately during some language setting operations, a weakness that local attackers could exploit to escalate privileges. Only Ubuntu’s branch of AccountsService is affected by the problem. Ubuntu 21.10, Ubuntu 21.04, and Ubuntu 20.04 LTS are affected by this flaw.
Canonical patched this privilege escalation problem in AccountsService versions 0.6.55-0ubuntu120.04.5, 0.6.55-0ubuntu13.3, and 0.6.55-0ubuntu14.1 in November. After installing the updates, you’ll need to restart your computer to see the changes take effect.
As he says, his CVE-2021-3939 proof-of-concept exploit is slow (perhaps several hours) and does not always succeed. However, since the double-free flaw enables crashing AccountsService as many times as necessary, it doesn’t matter. The only stumbling hurdle to properly exploiting this flaw is that systemd rate-limits AccountsService crashes, preventing efforts to restart it more than five times every ten seconds.
Backhouse stated, “It relies on chance and the fact that I can keep crashing AccountsService until it’s successful. But would an attacker care? It gets you a root shell, even if you have to wait a few hours.”
“To me, it feels like magic that it’s even possible to exploit such a small bug, especially considering all the mitigations that have been added to make memory corruption vulnerabilities harder to exploit. Sometimes, all it takes to get root is a little wishful thinking!”
Backhouse’s CVE-2021-3939 report has further information on how the vulnerability was discovered and the attack created.