ASA-2019-00075 – snapd: Local privilege escalation via snapd socket

Allele Security Alert



ASA-2019-00075, CVE-2019-7304, USN-3887-1


Local privilege escalation via snapd socket


Canonical Ltd



Affected version(s)

snapd versions 2.28 through 2.37

Fixed version(s)

snapd 2.37.1

Proof of concept



snapd versions 2.28 through 2.37 incorrectly validated and parsed the remote socket address when performing access controls on its UNIX socket. A local attacker could use this to access privileged socket APIs and obtain administrator privileges.

Technical details

The snapd service is described in a systemd service unit file located at /lib/systemd/system/snapd.service.

Here are the first few lines:

Description=Snappy daemon

This leads us to a systemd socket unit file, located at /lib/systemd/system/snapd.socket

The following lines provide some interesting information:


This tells us that two socket files are being created and that they can be written to by any user on the system.

We can verify this by looking at the sockets inside the file system:

$ ls -aslh /run/snapd*
0 srw-rw-rw- 1 root root 0 Jan 25 03:42 /run/snapd-snap.socket
0 srw-rw-rw- 1 root root 0 Jan 25 03:42 /run/snapd.socket

Interesting. We can use the Linux “nc” tool (as long as it is the BSD flavor) to connect to AF_UNIX sockets like these. The following is an example of connecting to one of these sockets and simply hitting enter.

$ nc -U /run/snapd.socket

HTTP/1.1 400 Bad Request
Content-Type: text/plain; charset=utf-8
Connection: close

400 Bad Request

Even more interesting. One of the first things an attacker will do when compromising a machine is to look for hidden services that are running in the context of root. HTTP servers are prime candidates for exploitation, but they are usually found on network sockets, possibly attached to

This is enough information now to know that we have a good target for exploitation – a hidden HTTP service that is likely not widely tested as it is not readily apparent using most automated privilege escalation checks.


Chris Moberly


Local privilege escalation via snapd socket

USN-3887-1: snapd vulnerability

Privilege Escalation in Ubuntu Linux (dirty_sock exploit)



If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: February 12, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.