This is more than just a Telemetry, It as a Trojan in Ubuntu Distro. A remote code-execution (RCE) vulnerability in all Ubuntu of the world! Why?
Simple curl is launched as root (not the best practice!), and Ubuntu Distro fetch https://motd.ubuntu.com multiple times per day if someone (like 3-letters or 4 letters) controls this Amazon Web server knowing the version of curl (provided by the script) exploit any local known vulnerability present in curl or use a curl zero day it will have "root" access to any Ubuntu Server or Desktop, Laptop of the world! Proof of Concept Add the following before the for calling curl in /etc/update-motd.d/50 -motd-news date +'%Y-%m-%d %H:%M:%S' >> /tmp/test whoami >> /tmp/test echo $USER_AGENT >> /tmp/test wait 12 hours... or 12:00 / 00:00 or reboot cat /tmp/test 2020-06-05 12:00:00 root curl/7.68.0-1ubuntu2 Ubuntu/20.04/LTS GNU/Linux/**********-generic/x86_64 Intel(R)/Core(TM)/i7-******/CPU/@/*****GHz uptime/70.55/921.20 cloud_id/unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
