Snapd vulnerability allows for privilege escalation on popular Linux distributions

By Alfred Vergara on February 15, 2019

On February 13, 2019 security researcher Chris Moberly from The Missing Link disclosed a privilege escalation possibility within the snapd service that allowed for a local user to elevate privileges to root by exploiting a code vulnerability, known as Dirty_Sock and CVE-2019-7304, that improperly establishes the user’s permissions (uid).

What is Snapd?

Snapd is a systemd service that manages snap files, “snaps”, and is installed by default on the supported distributions of Linux: Ubuntu, Debian, OpenSUSE, Arch Linux, Solus, and Fedora. There are competing application packaging standards in the Linux environment, and snap is one of these. Snap is developed by Canonical, the makers of Ubuntu Linux. Snapd allows for a user to manage local snaps and manages communication in downloading new snaps from a Snap “store” (much like the Apple App Store).

The Vulnerability

Snapd runs at the context of a root user, and thus is a target for an attacker who wants to elevate privileges. For communication between processes, an application must connect to a local socket on another application. Sockets when established in Linux can be defined as different types; AF_UNIX is the type used for local, application to application connections. A AF_UNIX receiving socket allows an application to receive credentials of the sending application. These credentials are determined by the level of access the application is given to the system through the user level accessing it.

Snapd, when checking for the user permissions did not compare the uid, in a proper manner.

func (wc *ucrednetConn) RemoteAddr() net.Addr {
    return &ucrednetAddr{wc.Conn.RemoteAddr(), wc.pid, wc.uid, wc.socket}
}

Connection info, process id (pid), and uid being added to one object, from Moberly.

func (wa *ucrednetAddr) String() string {
    return fmt.Sprintf(“pid=%s;uid=%s;socket=%s;%s”, wa.pid, wa.uid, wa.socket, wa.Addr)
}

Connection info, uid, and pid being concatenated into a string and separated by semicolons , from Moberly.

The concatenated string is then parsed with the delimiter of the semicolon being used. An example string is as follows: pid=5127;uid=1000;socket=/run/snapd.socket;@. Logically from the code, another uid= field after the initial one would reassign the uid variable to the last one seen. If the string can be manipulated, then it would be possible to trick Snapd into thinking that the user connecting to the socket through an application is running at the root level.

This was made possible through a custom script, as created by Moberly in Python:

## Setting a socket name with the payload included
sockfile = “/tmp/sock;uid=0;”

## Bind the socket
client_sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
client_sock.bind(sockfile)

## Connect to the snap daemon
client_sock.connect(‘/run/snapd.socket’)

By changing the socket name to include the ;uid=0, and since the socket name is included in the concatenated string that determines the uid, the new string through the python script produces the following: pid=5275;uid=1000;socket=/run/snapd.socket;/tmp/sock;uid=0;

Moberly has since published 2 exploits of the vulnerability which requires access to the system. Dirty_sock version 1 requires an Internet connection on the target, and SSH. Dirty_sock version 2 does not require SSH or Internet, but requires some snap functionality to be present.

Impact

Snap applications have become a standard on many Linux systems. Linux, like Windows and Mac OS is a type of operating system that a computer can use. Linux can serve many roles in a network:

  • Web servers
  • Intermittent firewalls
  • Databases
  • Research computers

From the United States Federal government to Google, Linux systems are everywhere. They are both everywhere, and can be everything. Being able to elevate to root privileges on a system that is part of a critical infrastructure grants an attacker the maximum amount of control on the system. This system can be used to pivot into any other part of that network. A Linux system, when compromised, can result in disastrous outcomes:

  • A system that has access to banking information stored on a database when compromised will allow a malicious user to view and exfiltrate financial information.
  • A system that manages part of an industrial control system in a baby formula facility can result in millions of dollars lost.

The scope of a significant vulnerability on any operating system is wide, with impact being critical if systems are not protected through a defense in depth strategy; implement security controls on as many levels as you can to prevent an attacker from gaining necessary access to potentially vulnerable systems.

Mitigation

Snapd 2.37.1 has patches for the vulnerabilities of Dirty_Sock found by Moberly, so update your Linux distribution.

Sources

https://www.comparebusinessproducts.com/fyi/50-places-linux-running-you-might-not-expect

https://shenaniganslabs.io/2019/02/13/Dirty-Sock.html

https://thehackernews.com/2019/02/snapd-linux-privilege-escalation.html

http://man7.org/linux/man-pages/man2/socket.2.html

https://docs.snapcraft.io/installing-snapd/6735

https://sensorstechforum.com/cve-2019-7304-snald-privilege-escalation-flaw/

Related Posts