[Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background

Guy Baconniere 1867424 at bugs.launchpad.net
Fri Jun 5 07:12:53 UTC 2020 

This is more than just a Telemetry, It as a Trojan in Ubuntu Distro.

A remote code-execution (RCE) vulnerability 
in all Ubuntu of the world!  Why?

Simple

curl is launched as root (not the best practice!),
and Ubuntu Distro fetch https://motd.ubuntu.com multiple times per day
if someone (like 3-letters or 4 letters) controls this Amazon Web server
knowing the version of curl (provided by the script) exploit any local
known vulnerability present in curl or use a curl zero day it will have
"root" access to any Ubuntu Server or Desktop, Laptop of the world!

Proof of Concept

Add the following before the for calling curl in /etc/update-motd.d/50
-motd-news

date +'%Y-%m-%d %H:%M:%S' >> /tmp/test
whoami >> /tmp/test
echo $USER_AGENT >> /tmp/test

wait 12 hours... or 12:00 / 00:00 or reboot

cat /tmp/test

2020-06-05 12:00:00
root
curl/7.68.0-1ubuntu2 Ubuntu/20.04/LTS GNU/Linux/**********-generic/x86_64 Intel(R)/Core(TM)/i7-******/CPU/@/*****GHz uptime/70.55/921.20 cloud_id/unknown

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to base-files in Ubuntu.
https://bugs.launchpad.net/bugs/1867424

Title:
  motd-news transmitting private hardware data without consent or
  knowledge in background

Status in base-files package in Ubuntu:
  Confirmed

Bug description:
  In package base-files there is a script /etc/update-motd.d/50-motd-
  news that harvests private hardware data from the machine and
  transmits it in the background every day.  There is no notice, no
  consent, no nothing.  This should be by default disabled until there
  is informed consent.

  This solution is simple:

  1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 
  2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it.

  Creating databases that maps ip address to specify hardware is a
  threat to both privacy and security.  If an adversary knows the
  specific hardware and the ip address for that hardware their ability
  to successfully attack it is greatly increased.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions

More information about the foundations-bugs mailing list