20 Feb Snapd (CVE-2019-7304)
Local Privilege escalation on the victim host via snapd
A security researcher Chris Moberly discovered a Linux Privilege Escalation vulnerability in January 2019 but was release mid-February.
The vulnerability affects version 2.28 through 2.37 of snapd a universal package management system created by Canonical. Snap packages contain everything needed to run without modification across different distributions.
Snap provides a local web server (UNIX_AF socket) to provide a REST API to perform certain actions on the operating system.
Moberly’s POC leverages two different API endpoints POST /v2/create-user and POST /v2/snaps, both create a new user on the system but in a slightly different way. One creates a user based on a Ubuntu SSO profile and the other creates a user by system commands.
The exploit to gain the level of access needed consists of creating a random socket file appended with the payload “;uid=0;” such as “temp_socket_file;uid=0;”.
When binding to this random socket file + payload then connecting to the snap daemon, it overwrites the UID variable and provides root access.
Snap POC v1: Privilege escalation via snapd v1 exploit which utilises Ubuntu SSO
Snap POC v2: Privilege escalation via snapd v2 exploit which installs an empty devmode snap that creates a new user.
Updating your system will protect you from this vulnerability. Any version from 2.37.1 or newer you’re ok.