[Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background
Guy Baconniere
1867424 at bugs.launchpad.net
Fri Jun 5 07:12:53 UTC 2020
This is more than just a Telemetry, It as a Trojan in Ubuntu Distro.
A remote code-execution (RCE) vulnerability
in all Ubuntu of the world! Why?
Simple
curl is launched as root (not the best practice!),
and Ubuntu Distro fetch https://motd.ubuntu.com multiple times per day
if someone (like 3-letters or 4 letters) controls this Amazon Web server
knowing the version of curl (provided by the script) exploit any local
known vulnerability present in curl or use a curl zero day it will have
"root" access to any Ubuntu Server or Desktop, Laptop of the world!
Proof of Concept
Add the following before the for calling curl in /etc/update-motd.d/50
-motd-news
date +'%Y-%m-%d %H:%M:%S' >> /tmp/test
whoami >> /tmp/test
echo $USER_AGENT >> /tmp/test
wait 12 hours... or 12:00 / 00:00 or reboot
cat /tmp/test
2020-06-05 12:00:00
root
curl/7.68.0-1ubuntu2 Ubuntu/20.04/LTS GNU/Linux/**********-generic/x86_64 Intel(R)/Core(TM)/i7-******/CPU/@/*****GHz uptime/70.55/921.20 cloud_id/unknown
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to base-files in Ubuntu.
https://bugs.launchpad.net/bugs/1867424
Title:
motd-news transmitting private hardware data without consent or
knowledge in background
Status in base-files package in Ubuntu:
Confirmed
Bug description:
In package base-files there is a script /etc/update-motd.d/50-motd-
news that harvests private hardware data from the machine and
transmits it in the background every day. There is no notice, no
consent, no nothing. This should be by default disabled until there
is informed consent.
This solution is simple:
1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and
2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it.
Creating databases that maps ip address to specify hardware is a
threat to both privacy and security. If an adversary knows the
specific hardware and the ip address for that hardware their ability
to successfully attack it is greatly increased.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions
More information about the foundations-bugs
mailing list