Headline
CVE-2022-40297: GitHub - filipkarc/PoC-ubuntutouch-pin-privesc: Proof of Concept: Privilage escalation in Ubuntu Touch 16.04 - by PIN Bruteforce
UBports Ubuntu Touch 16.04 allows the screen-unlock passcode to be used for a privileged shell via Sudo. This passcode is only four digits, far below typical length/complexity for a user account’s password.
Proof of Concept: Privilege escalation in Ubuntu Touch 16.04 - by Passcode Bruteforce
Ubuntu Touch allows you to “protect” devices with a 4-digit passcode. Such a code was set in a demonstration device. The problem is that the same 4-digit passcode then becomes a password that we can use with the sudo command and gain root privileges.
This means that a malicious application can do us double harm:
- Easily escalate privileges and take control of the device.
- It can pass the screen unlock passcode to a third party.
How does my Proof of Concept work?
- We run poc.py as a regular user.
- App is doing bruteforce attack on password. No rate limit in system!
- Passcode to unlock the screen = password for sudo su to obtain root.
- After 1-2 minutes we have passcode on the screen, which we also save to the file /root/passcode as evidence of system compromise.
Contact
Feel free to contact me on Twitter @FilipKarc.
Be sure to follow me on LinkedIn: LinkedIn.