Snapd (CVE-2019-7304)

Snapd (CVE-2019-7304)

Snapd (CVE-2019-7304)

Objective

Local Privilege escalation on the victim host via snapd

Summary

A security researcher Chris Moberly discovered a Linux Privilege Escalation vulnerability in January 2019 but was release mid-February.
The vulnerability affects version 2.28 through 2.37 of snapd a universal package management system created by Canonical. Snap packages contain everything needed to run without modification across different distributions.

Snap provides a local web server (UNIX_AF socket) to provide a REST API to perform certain actions on the operating system.
Moberly’s POC leverages two different API endpoints POST /v2/create-user and POST /v2/snaps, both create a new user on the system but in a slightly different way. One creates a user based on a Ubuntu SSO profile and the other creates a user by system commands.

Method

The exploit to gain the level of access needed consists of creating a random socket file appended with the payload “;uid=0;” such as “temp_socket_file;uid=0;”.
When binding to this random socket file + payload then connecting to the snap daemon, it overwrites the UID variable and provides root access.

Videos

Snap POC v1: Privilege escalation via snapd v1 exploit which utilises Ubuntu SSO

 
 

Snap POC v2: Privilege escalation via snapd v2 exploit which installs an empty devmode snap that creates a new user.

 

Conclusion

Updating your system will protect you from this vulnerability. Any version from 2.37.1 or newer you’re ok.

 

Credit: Thanks to Chris Moberly (@init_string) from The Missing Link  for discovering the vulnerability, read more here.

No Comments

Sorry, the comment form is closed at this time.