Root access with a corrupted menu entry
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Ubuntu |
Triaged
|
Wishlist
|
Unassigned | ||
Bug Description
Description:
With a corrupted menu entry in ~/.local/
Steps to reproduce the bug:
1. Go to ~/.local/
2. With a text editor, open a desktop entry of a program that needs root access, such as Synaptic.
3. Replace the «Exec» field with:
Exec=gksu touch /hello
4. Open the entry you have modified
What appens:
A distracted user can insert the password without notice (especially if I use gksu --description and --message options to shadow the command) and the hello file will appear in /.
What's the matter?
For example, if instead of "touch /hello" I wrote "rm /*" all file will be destroyed. Also, I can put a trojan and control all the system. To corrupt the icon I can create a simple program (also a bash script) and if I spread it on the network it can be very dangerous!
| description: | updated |
| Jamie Strandboge (jdstrand) wrote | #1 |
| Andrea Corbellini (andrea.corbellini) wrote | #2 |
| visibility: | private → public |
| visibility: | private → public |
Thank you for your bug report, and helping make Ubuntu even better. The privilege escalation you described can happen only when the account in question is compromised, or is user assisted. Currently, trojaned accounts are not expected to be controlled by the operating system. I will mark this Wishlist so this can be revisted in the future.