New Ubuntu PrivEsc Vulnerability
According to a new Pastebin post by a Guest user, there is a PrivEsc vulnerability in all current releases of Ubuntu. and underlying architecture. The vulnerability allows local privilege escalation.
The default configuration in Ubuntu 14.04.2LTS and earlier allows a user, given a specially crafted sequence of commands as a standard user, the ability to perform arbitrary command execution as a system user.
It was found through investigating the account management and security aspects of the Ubuntu 14.04.2LTS operating system, and the underlying kernel, that there was a significant flaw in the application of access restrictions to perform commands as a privileged user.
This configuration could be exploited severely damage the confidentiality, integrity, and availability of data held within the system.
The prerequisites for exploiting this vulnerability did mitigate some of the risk, however it is insufficient given the potential impact to a system should an in-the-wild payload be created.
According to an author, there are some prerequisites that should be met in order to make a vulnerability executable:
• An account with system privileges must exist:
o The standard account under which the user is authenticated must be in the sudoers group
o Or the root user must be enabled
• A simple string set by the user, generally during initial configuration of the operating system or user account, must be known
o This string is arbitrary but is usually relatively short
o There are known common and default values for this string
o By default there is no policy for having a strong, secure string
o A previous vulnerability in Ubuntu has been discovered allowing for the brute forcing of this string
It has been discovered that in the event certain conditions are met, remote exploitation of this vulnerability may be possible.
Common services such as telnet, SSH and FTP may allow for remote exploitation, as if misconfigured these will allow for a separate remote command execution vulnerability, which can be used in conjuncture with this vulnerability.
NOTICE: We are going to check whether this truly is a vulnerability and will update this post accordingly!