How did this exploit allow write access to root owned files?
This was a bug in pam_motd that has long since been patched out:
pam_motd (aka the MOTD module) in libpam-modules before 1.1.0-2ubuntu1.1 in PAM on Ubuntu 9.10 and libpam-modules before 1.1.1-2ubuntu5 in PAM on Ubuntu 10.04 LTS allows local users to change the ownership of arbitrary files via a symlink attack on .cache in a user's home directory, related to "user file stamps" and the motd.legal-notice file.
This basically translates to, while logging in with SSH, PAM (the authentication module, running as root) would try to chown $USER: ~/.cache. It didn't look to see what that was so the ownership change was propagating to the linked file.
That allowed you to own and then edit the system files and gain root-level access.
While .cache was symlinked to /etc/{passwd,shadow} they could have echoed into .cache... But why bother? By that point those files had their file ownership changed to $USER. They were freely editable.
Just in answer to your comments:
It doesn't give you permission, it (or I should say its PAM module) is the thing changing the ownership. But yes, PAM doing what it did was the problem.
The symlink to
~/.cacheis just a redirect for the exploit. Is required so that when you log in PAM (running as root) tries tochownthe linked file. That's the exploit there.It was an oversight and it was fixed by dropping privileges before entering into any of that code.