Attacker slips malware past Ubuntu Phone checks
Splash screen bug squashed
Canonical has issued a security advisory to all fifteen people who installed a particular Ubuntu Phone app.
While its reach might be trivial, the bug itself was serious: someone worked out how to bypass checks that are supposed to protect the Ubuntu Phone operating system's single-click app installation process.
As the company's Ubuntu client director of software engineering Olli Ries writes, the bug was exploited in an app called test.mmrow in the phone OS software store.
The malicious app created a script that modified the boot splash screen and gave the attacker root access to the phone, he explains.
It generated an “unconfined security policy” on the target device, Ries writes, and was “then able to create a shell script that has the ability to elevate its privileges to the root user and extract a tar file that contains images that are flashed when the phone is rebooted into recovery mode”.
That the app got into the Ubuntu phone store reveals two problems, Ries continues: one in the system's click review tools, the other that the app got past the store's automated review tools.
“The offending app was constructed in a way that made it look like it used a standard confinement template, but it specified an unconfined template in the alternate directory”, he explains, and that got it past the code review tools.
The Ubuntu Phone click review tools are also being updated to close the holes the app exploited.
Szymon Waliczek captured the vulnerability in action
Ries emphasised that the bug only affected the phone operating system. The company will push out a bug fix and says it's contacted all 15 users who downloaded test.mmrow (two of whom were Ubuntu staffers). ®