Have you played with the latest version of Ubuntu yet? Ubuntu 11.10 named Oneiric Ocelot (Who makes up these names?), was released last month and comes with a couple surprises.
When you boot it up, you will see two differences. First of all, the standard Gnome Desktop is not installed by default. Unity, which was an option in 11.04, is now the standard desktop. Unity is a graphical interface that makes your system look more like the latest fad tablet Operating Systems. I hated it at first, but it has grown on me.
Don’t like it? No worries, you can install the classic gnome interface with the following command:
sudo apt-get install gnome-panel
But the second addition is the most concerning. If you look at the user list there is a new user present – “Guest Session”. There is no security on this account. Just select “Guest Session”, leave the password blank and log in!
Okay, I know, you need to be an admin to be able to run anything potentially damaging. If you log into the Guest account and try to run a system command you get “Permission Denied”. And you still need the root password to install software and execute the ‘SUDO’ command. So what is the problem?
It is an opening, a small crack. And where there is a crack, there is an opportunity for exploit. Microsoft learned this lesson years ago and has since disabled the Guest account by default.
Why would Ubuntu do this?
“The Guest account is not really a problem, and it’s been there a long time, it’s just that it’s a bit more obvious now that it’s listed in the login screen.”, Mentions an Ubuntu team member in a support forum.
Luckily he also mentions how to disable it, because the user does not show up in the user list!
You can disable the guest account (in 11.10 only) by editing the /etc/lightdm/lightdm.conf and add the line:
allow-guest=false
You will need to reboot for this to take effect.
When I first heard about this, I updated one of my Ubuntu 11.04 systems to 11.10 to see if this was true. Sure enough, after the update was complete and the system rebooted – I had a “Guest Session” account. I did not have any guest users enabled on my system before.
Don’t get me wrong, I love Ubuntu, am an avid user and highly recommend it.
But enabling users with no passwords by default? Call it a feature I guess?
CYBER ARMS - Computer Security 
Nice post
Thank you Tushar. Your website looks very interesting. I’ll try to check it out a little closer when I get a chance.
Thanks for visiting!
Dan
Dan —
I am/was also skeptical about the guest account, so I looked into the implications of this account as well as the potential for what compromise of the account could lead to.
If you do some snooping about Guest , it’s not really as much of a liability as its name would lead the average person to believe. It’s certainly no Windows XP Guest account, that’s for sure.
You will find that the LightDM shell for Guest is quite adequately confined with mandatory access controls (Apparmor in this case). You can find the apparmor profile in /etc/apparmor.d/lightdm-guest-session. If you examine the profile you will find that the entire profile is designed to confine guest from doing too much naughty stuff.
The user does have some permanence and is fairly well confined from the rest of the users on the system via both discretionary and mandatory access controls. That being said, I disagree with what you said about the account having “no security”. While I agree any foothold is better than no foothold, the reality for this account is compromise would likely happen locally anyway, and we all know local = root regardless of if you’re guest or root.
In any case, I look forward to hearing your thoughts on this.
Regards,
Adam
Adam,
Exceptional feed back, thank you!
Granted, my use of “There is no security on this account” was not the best choice of words. What I meant is continued in the next sentence, that no password was required to log in.
I looked at your website, awesome by the way, and noticed that you seem to be an avid Backtrack user. As there is no remote access by default to the guest account, what about java/script attacks? Like the Social Engineering Toolkit?
You can use SET to get a remote command shell with the Linux/Mac add in. If someone were to use the guest account, and surf the web with it, and allowed the exploit to run, I think it would still give a remote shell.
Again, it would be to a lower access account and like you said it seems to be sandboxed with apparmor. But it would still be a remote shell, which could be used to recon the machine a bit.
Just some thoughts, I haven’t had time to play with it yet, but want to spend some time playing with it at some point.
Again, great comment, thanks Adam!
Dan
Hey Dan —
Thanks for the response, obviously getting a remote shell is getting a remote shell. I assume you’re referring to the Javascript web app attack vector in SET. Basically if the user allows that code to run, the user allows the code to run. That vector being a repeater is rather obnoxious and most users will click just to make it go away.
That being said, after that you’ll have meterpreter or nc or whatever payload you wanted you’re kind of stuck in the sense of being limited by Apparmor. Escalation out of the “Guest” account is something I’ve been spending a little bit of time researching, as you’re not the first who’s brought it up with the recent release of Oneiric.
Truthfully, if you look at the default Oneiric install guest doesn’t get left with a lot of options for this. Most of the setuid applications (ping) are either tucked away or also confined by Apparmor.
I just think if you’re going to go in terms of using an SE vector like the one you’re discussing. It might just make more sense to target the default user who comes pre-armed with super user priveleges (through sudo) and at least a little bit more “room to groove” in terms of escalation.
This is just my experience, but have you seen the average Linux (particularly Ubuntu) user? Half of them will click stuff just because they think it can’t hurt them because there is “no malware for linux”.
That’s just my thoughts on it.
Regards,
Adam
You are absolutely correct Adam!
Yeah, I read several places where they said that guest is safe, because there is no remote access. But if someone is using “Guest”, and allow things to run on the internet, well you can get remote access.
I know it’s locked down pretty good, or so it seems, but man Adam, I had a big problem with the guest account in Windows ages ago, and it was supposedly “safe”. Seeing Ubuntu do this brings back some bad memories! 🙂
“No Malware for Linux” – LOL, yupper, it’s like the Windows users clicking on anything when protected by Anti-Virus, cause anti-virus stops everything! 🙂
Dan
Yep totally agree with you. Windows guest had some scary implications.
I am curious to see if I can break out of guest though into a more privileged account under 11.10 , if I find anything interesting I’ll let you know. If you happen to come upon any other research on the subject you should definitely post it up.
I’m dubious to accept that anything is inherently “safe” and there are many people out there who are very smart and have a LOT of time on their hands to come up with this stuff lol.
Thanks again for the replies and compliments on my site — keep up the good posts, there is some really interesting stuff on this site 🙂
Thanks bro, appreciate it!
Sounds great, let’s keep in touch, I have your e-mail address, and mine is cyberarms(at)live.com.
The guest account on version 12.04 doesn’t seem to save any changes to the operating system. I enters a separate login shell eo do admin tasks.