Hackfest 2024 - 16-bit Edition

Your locale preferences have been saved. We like to think that we have excellent support for English in pretalx, but if you encounter issues or errors, please contact us!

Leveraging Features for Privilege Escalation in Ubuntu 24.04
10-12, 15:30–16:20 (America/New_York), Track 2 (206a)
Language: English

In this session, we explore a unique approach to privilege escalation in Ubuntu 24.04 by leveraging system features rather than relying solely on traditional vulnerabilities. Our research began with an investigation into Ubuntu's privilege boundaries, focusing on DBus and its interaction with the cups printing system. Through a series of methodical steps, we uncovered a way to escalate privileges from a standard user to root by chaining together minor bugs and existing features.

Our journey highlights the importance of understanding system components and their interactions. By exploiting the configurations within the cups service and bypassing AppArmor restrictions, we achieved arbitrary command execution, ultimately gaining root access through the wpa_supplicant service.

This talk emphasizes the significance of a holistic approach to security research, demonstrating how combining knowledge of system features can lead to successful exploitation. Attendees will gain insights into advanced privilege escalation techniques and the critical role of comprehensive system analysis in identifying security risks.

  1. Introduction
    We'll start with an overview of Ubuntu 24.04 and the goals of our research at Snyk Security Labs. This will set the stage for understanding the significance of exploiting existing system features in modern security research.

  2. Initial Exploration
    Discuss the difference between traditional vulnerability hunting and leveraging system features for exploitation. We'll explain our approach to identifying privilege boundaries within Linux, focusing particularly on DBus as a critical component.

  3. Targeting cups
    Explain why we selected the cups printing system as our target. We'll delve into how we used tools like strace to monitor its behavior and uncover vulnerabilities in its configuration handling, setting the foundation for our exploit chain.

  4. Overcoming AppArmor
    Provide an overview of AppArmor and its role in restricting application behavior. We'll describe the techniques we employed to bypass these restrictions and gain writable access to critical cups configuration files.

  5. Exploitation Chain
    Walk through the exploitation process in detail. We'll show how we modified cups-files.conf to control external program execution and used other DBus methods to maintain writable access.

  6. Root Access via wpa_supplicant
    Introduce wpa_supplicant and explain how exploiting this service via DBus helped us bypass additional security restrictions. We'll detail how this final step enabled us to achieve root command execution.

  7. Conclusion
    Summarize the key takeaways from our research, highlighting how smaller bugs in complex systems can lead to high-impact vulnerabilities. Emphasize the importance of a holistic approach in security research.

  8. Q&A
    Open the floor to audience questions and discussions.

Are you releasing a tool? – no
Elliot Ward

Elliot is a senior security researcher at software security company Snyk. He has a background in software engineering and application security. He also enjoys craft beer and when not hacking can be found skateboarding or snowboarding in the Swiss alps.