Open ivoxavier opened 2 years ago
There are several problems with this:
1) There was absolutely no consideration of responsible disclosure or discussion with UT devs in private, and the person just posted on Twitter that one could do this (note that one can also do similar attacks on most any system).
2) This doesn't deserve a CVE, and the person "demonstrating" this is obviously ignoring existing measures in place which already prevent the issue.
3) As part of said measures, in order to do anything in Terminal app, one must enter their PIN or password anyway.
4) Additionally, random apps from the store can't simply execute sudo
as such. The app must be using the unconfined
apparmor profile, which Terminal does, and for which the Open Store requires manual review and that any such app be open source.
In simple terms, does this mean that the supposed security flaw does not exist ?
In simple terms, does this mean that the supposed security flaw does not exist ?
It means this isn't really a security flaw in the software itself. If you choose a trivial password, it will be trivial to guess it. This is not limited to Ubuntu Touch. Even if it were a six digit PIN, as is commonly used on iOS/Android, the password will be trivial to guess. Is it really a "privilege escalation exploit" because you can run sudo and have a trivial password? Is it a PE flaw that you can enable root from Android developer options?
If anything, the only "flaw" here is that sudo
doesn't do escalating back-off for failures, nor does it provide any method of preventing the running of sudo after N failed attempts to run it. This is true on any platform where sudo can be used.
Thanks @dobey for the explanation. Perhaps it should be considered that the "problem" raised has the utility of allowing to glimpse security points which could possibly be improved on UT.
On a random navigation through cve's spotted this one.
Logfiles and additional information
https://github.com/filipkarc/PoC-ubuntutouch-pin-privesc https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40297
ilustration
Image retreived from the owner repo