Allele Security Alert
ASA-2019-00075
Identifier(s)
ASA-2019-00075, CVE-2019-7304, USN-3887-1
Title
Local privilege escalation via snapd socket
Vendor(s)
Canonical Ltd
Product(s)
snapd
Affected version(s)
snapd versions 2.28 through 2.37
Fixed version(s)
snapd 2.37.1
Proof of concept
Yes
Description
snapd versions 2.28 through 2.37 incorrectly validated and parsed the remote socket address when performing access controls on its UNIX socket. A local attacker could use this to access privileged socket APIs and obtain administrator privileges.
Technical details
The snapd service is described in a systemd service unit file located at /lib/systemd/system/snapd.service.
Here are the first few lines:
``` [Unit] Description=Snappy daemon Requires=snapd.socket ```
This leads us to a systemd socket unit file, located at /lib/systemd/system/snapd.socket
The following lines provide some interesting information:
``` [Socket] ListenStream=/run/snapd.socket ListenStream=/run/snapd-snap.socket SocketMode=0666 ```
This tells us that two socket files are being created and that they can be written to by any user on the system.
We can verify this by looking at the sockets inside the file system:
``` $ ls -aslh /run/snapd* 0 srw-rw-rw- 1 root root 0 Jan 25 03:42 /run/snapd-snap.socket 0 srw-rw-rw- 1 root root 0 Jan 25 03:42 /run/snapd.socket ```
Interesting. We can use the Linux “nc” tool (as long as it is the BSD flavor) to connect to AF_UNIX sockets like these. The following is an example of connecting to one of these sockets and simply hitting enter.
``` $ nc -U /run/snapd.socket HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close 400 Bad Request ```
Even more interesting. One of the first things an attacker will do when compromising a machine is to look for hidden services that are running in the context of root. HTTP servers are prime candidates for exploitation, but they are usually found on network sockets, possibly attached to 127.0.0.1.
This is enough information now to know that we have a good target for exploitation – a hidden HTTP service that is likely not widely tested as it is not readily apparent using most automated privilege escalation checks.
Credits
Chris Moberly
Reference(s)
Local privilege escalation via snapd socket
https://bugs.launchpad.net/snapd/+bug/1813365
USN-3887-1: snapd vulnerability
https://usn.ubuntu.com/3887-1/
Privilege Escalation in Ubuntu Linux (dirty_sock exploit)
https://initblog.com/2019/dirty-sock/
CVE-2019-6975
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6975
CVE-2019-6975
https://nvd.nist.gov/vuln/detail/CVE-2019-6975
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 12, 2019