This repository contains a proof of concept exploit for CVE-2021-3939 (GHSL-2021-1011): a double-free memory corruption vulnerability in accountsservice.
When successful, this poc sets the root user's password.
Notes:
- The vulnerability only exists in Ubuntu's fork of accountsservice. Other Linux distributions, such as Debian, are not affected.
- This exploit is SLOW. It might take several hours to succeed.
Instructions for building the PoC:
git submodule update --init # Download https://github.com/kevinbackhouse/DBusParse
mkdir build
cd build
cmake ..
make./poc3 /var/run/dbus/system_bus_socketThe poc usually takes many hours to succeed. When it's successful, you should be able to login as root:
su - root # password is: KrabbyPattiesNote: there are three versions of the poc. poc.cpp is the original
poc that I attached to the bug report that I sent to Ubuntu. It's a
bit careless with the way that it sends and receives D-Bus messages,
so it can sometimes get stuck because it's waiting for a D-Bus message
that never arrives. poc2.cpp is an improved version that uses
asynchronous communication, powered by epoll. poc3.cpp is a
simplified version of the exploit which I wrote after I better
understood how the exploit actually works.