This is more than just a Telemetry, It as a Trojan in Ubuntu Distro. A remote code-execution (RCE) vulnerability in all Ubuntu of the world! Why?
Simple curl is launched as root (not the best practice!), and Ubuntu Distro fetch https://motd.ubuntu.com multiple times per day if someone (like 3-letters or 4 letters) controls this Amazon Web server knowing the version of curl (provided by the script) exploit any local known vulnerability present in curl or use a curl zero day it will have "root" access to any Ubuntu Server or Desktop, Laptop of the world! Proof of Concept Add the following before the for calling curl in /etc/update-motd.d/50 -motd-news date +'%Y-%m-%d %H:%M:%S' >> /tmp/test whoami >> /tmp/test echo $USER_AGENT >> /tmp/test wait 12 hours... or 12:00 / 00:00 or reboot cat /tmp/test 2020-06-05 12:00:00 root curl/7.68.0-1ubuntu2 Ubuntu/20.04/LTS GNU/Linux/**********-generic/x86_64 Intel(R)/Core(TM)/i7-******/CPU/@/*****GHz uptime/70.55/921.20 cloud_id/unknown -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background Status in base-files package in Ubuntu: Confirmed Bug description: In package base-files there is a script /etc/update-motd.d/50-motd- news that harvests private hardware data from the machine and transmits it in the background every day. There is no notice, no consent, no nothing. This should be by default disabled until there is informed consent. This solution is simple: 1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it. Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
