[Desktop-packages] [Bug 1668321] Re: Vulnerability allows read/write/exec access on Ubuntu 16.04 Screenlock as lightdm user
** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2017-6590 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to network-manager-applet in Ubuntu. https://bugs.launchpad.net/bugs/1668321 Title: Vulnerability allows read/write/exec access on Ubuntu 16.04 Screenlock as lightdm user Status in network-manager-applet package in Ubuntu: Fix Released Status in network-manager-applet source package in Precise: Fix Released Status in network-manager-applet source package in Trusty: Fix Released Status in network-manager-applet source package in Xenial: Fix Released Status in network-manager-applet source package in Yakkety: Fix Released Status in network-manager-applet source package in Zesty: Fix Released Bug description: Hi, We just found a vulnerability in lightdm who could lead us to read files with lightdm permissions, an also write in some directories. We were able to download a reverse_shell payload and execute it in order to gain a reverse shell as lightdm on a remote system. The exploitation require a physical access to the locked computeur and the Wi-fi must be turned on. A access point who let you use a certificate to log-in is required as well but it's easy to create one. Then, it's possible to open a nautilus window and browse directories. We also can open some application such as Firefox which is useful to download malicious binaries :-) See this video for the PoC : https://www.youtube.com/watch?v=Fp2lwRVg0l0 - Some info about the Ubuntu version I used on the video above : $ lsb_release -rd Description: Ubuntu 16.04.2 LTS Release: 16.04 $ apt-cache policy lightdm lightdm: Installé : 1.18.3-0ubuntu1 Candidat : 1.18.3-0ubuntu1 Table de version : *** 1.18.3-0ubuntu1 500 500 http://fr.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 100 /var/lib/dpkg/status 1.18.1-0ubuntu1 500 500 http://fr.archive.ubuntu.com/ubuntu xenial/main amd64 Packages I let you time for correction before publishing the discovery. If you have any question please let me know! Regards, Quentin Biguenet -- Orange Cyber-Defense quentin.bigue...@orange.com To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager-applet/+bug/1668321/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1668321] Re: Vulnerability allows read/write/exec access on Ubuntu 16.04 Screenlock as lightdm user
Is it a cve number delivered for this vuln ? -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to network-manager-applet in Ubuntu. https://bugs.launchpad.net/bugs/1668321 Title: Vulnerability allows read/write/exec access on Ubuntu 16.04 Screenlock as lightdm user Status in network-manager-applet package in Ubuntu: Fix Released Status in network-manager-applet source package in Precise: Fix Released Status in network-manager-applet source package in Trusty: Fix Released Status in network-manager-applet source package in Xenial: Fix Released Status in network-manager-applet source package in Yakkety: Fix Released Status in network-manager-applet source package in Zesty: Fix Released Bug description: Hi, We just found a vulnerability in lightdm who could lead us to read files with lightdm permissions, an also write in some directories. We were able to download a reverse_shell payload and execute it in order to gain a reverse shell as lightdm on a remote system. The exploitation require a physical access to the locked computeur and the Wi-fi must be turned on. A access point who let you use a certificate to log-in is required as well but it's easy to create one. Then, it's possible to open a nautilus window and browse directories. We also can open some application such as Firefox which is useful to download malicious binaries :-) See this video for the PoC : https://www.youtube.com/watch?v=Fp2lwRVg0l0 - Some info about the Ubuntu version I used on the video above : $ lsb_release -rd Description: Ubuntu 16.04.2 LTS Release: 16.04 $ apt-cache policy lightdm lightdm: Installé : 1.18.3-0ubuntu1 Candidat : 1.18.3-0ubuntu1 Table de version : *** 1.18.3-0ubuntu1 500 500 http://fr.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 100 /var/lib/dpkg/status 1.18.1-0ubuntu1 500 500 http://fr.archive.ubuntu.com/ubuntu xenial/main amd64 Packages I let you time for correction before publishing the discovery. If you have any question please let me know! Regards, Quentin Biguenet -- Orange Cyber-Defense quentin.bigue...@orange.com To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager-applet/+bug/1668321/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1668321] Re: Vulnerability allows read/write/exec access on Ubuntu 16.04 Screenlock as lightdm user
> Marc Deslauriers (mdeslaur) wrote on 2017-03-06: #34 > We will probably be publishing updates for this issue on 2017-03-07. > Who do we credit for discovery of this vulnerability? (Our policy is to credit individuals, not > > organizations...names please...) We discovered Frederic Bardy (frederic.ba...@orange.com and me (quentin.bigue...@orange.com). -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to network-manager-applet in Ubuntu. https://bugs.launchpad.net/bugs/1668321 Title: Vulnerability allows read/write/exec access on Ubuntu 16.04 Screenlock as lightdm user Status in network-manager-applet package in Ubuntu: Confirmed Status in network-manager-applet source package in Precise: Fix Released Status in network-manager-applet source package in Trusty: Fix Released Status in network-manager-applet source package in Xenial: Fix Released Status in network-manager-applet source package in Yakkety: Fix Released Status in network-manager-applet source package in Zesty: Confirmed Bug description: Hi, We just found a vulnerability in lightdm who could lead us to read files with lightdm permissions, an also write in some directories. We were able to download a reverse_shell payload and execute it in order to gain a reverse shell as lightdm on a remote system. The exploitation require a physical access to the locked computeur and the Wi-fi must be turned on. A access point who let you use a certificate to log-in is required as well but it's easy to create one. Then, it's possible to open a nautilus window and browse directories. We also can open some application such as Firefox which is useful to download malicious binaries :-) See this video for the PoC : https://www.youtube.com/watch?v=Fp2lwRVg0l0 - Some info about the Ubuntu version I used on the video above : $ lsb_release -rd Description: Ubuntu 16.04.2 LTS Release: 16.04 $ apt-cache policy lightdm lightdm: Installé : 1.18.3-0ubuntu1 Candidat : 1.18.3-0ubuntu1 Table de version : *** 1.18.3-0ubuntu1 500 500 http://fr.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 100 /var/lib/dpkg/status 1.18.1-0ubuntu1 500 500 http://fr.archive.ubuntu.com/ubuntu xenial/main amd64 Packages I let you time for correction before publishing the discovery. If you have any question please let me know! Regards, Quentin Biguenet -- Orange Cyber-Defense quentin.bigue...@orange.com To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager-applet/+bug/1668321/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
