An issue was discovered in network-manager-applet (aka network-manager-gnome) in Ubuntu 12.04 LTS, 14.04 LTS, 16.04 LTS, and 16.10. A local attacker could use this issue at the default Ubuntu login screen to access local files and execute arbitrary commands as the lightdm user. The exploitation requires physical access to the locked computer and the Wi-Fi must be turned on. An access point that lets you use a certificate to login is required as well, but it's easy to create one. Then, it's possible to open a nautilus window and browse directories. One also can open some applications such as Firefox, which is useful for downloading malicious binaries.
From https://bugs.launchpad.net/ubuntu/+source/network-manager-applet/+bug/1668321 additionally:
We just found a vulnerability in lightdm who could lead us to read files with lightdm permissions, an also write in some directories.
We were able to download a reverse_shell payload and execute it in order to gain a reverse shell as lightdm on a remote system.
The exploitation require a physical access to the locked computeur and the Wi-fi must be turned on. A access point who let you use a certificate to log-in is required as well but it's easy to create one.
Then, it's possible to open a nautilus window and browse directories. We also can open some application such as Firefox which is useful to download malicious binaries :-)
See this video for the PoC :
Author: Mart Raudsepp <firstname.lastname@example.org>
Date: Sat Mar 25 14:07:13 2017 +0200
gnome-extra/nm-applet: fix CVE-2017-6590, nma bindings and more
Grab patches from upstream nm-1-4 branch for fixing broken NMA bindings,
translations when used in gnome-control-center (gettext domain context issue),
CVE-2017-6590 (a physical access login screen bypass issue with lightdm), and
a certification file error message fix as requested by one of our users specifically.
Thanks-to: Martin Mokrejš
Arches, please proceed. In addition to the security fix, previous stable nm-applet is a bit old for newer stable networkmanager too for more trouble-free functioning.
Maintainer(s), please cleanup.
Security, please vote.
cleanup done, 1.2.4 remains with keywords reduced to only ~ia64 ~sparc as they still haven't done bug 593496
Arches and Maintainer(s). Thank you for your work.
New GLSA Request filed.
Going to leave in cleanup state until they complete the bug.
Arches and Maintainer(s), Thank you for your work.
This issue was resolved and addressed in
GLSA 201707-09 at https://security.gentoo.org/glsa/201707-09
by GLSA coordinator Thomas Deutschmann (whissi).