ASA-2019-00075 – snapd: Local privilege escalation via snapd socket

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00075

Identifier(s)

ASA-2019-00075, CVE-2019-7304, USN-3887-1

Title

Local privilege escalation via snapd socket

Vendor(s)

Canonical Ltd

Product(s)

snapd

Affected version(s)

snapd versions 2.28 through 2.37

Fixed version(s)

snapd 2.37.1

Proof of concept

Yes

Description

snapd versions 2.28 through 2.37 incorrectly validated and parsed the remote socket address when performing access controls on its UNIX socket. A local attacker could use this to access privileged socket APIs and obtain administrator privileges.

Technical details

The snapd service is described in a systemd service unit file located at /lib/systemd/system/snapd.service.

Here are the first few lines:

```
[Unit]
Description=Snappy daemon
Requires=snapd.socket
```

This leads us to a systemd socket unit file, located at /lib/systemd/system/snapd.socket

The following lines provide some interesting information:

```
[Socket]
ListenStream=/run/snapd.socket
ListenStream=/run/snapd-snap.socket
SocketMode=0666
```

This tells us that two socket files are being created and that they can be written to by any user on the system.

We can verify this by looking at the sockets inside the file system:

```
$ ls -aslh /run/snapd*
0 srw-rw-rw- 1 root root 0 Jan 25 03:42 /run/snapd-snap.socket
0 srw-rw-rw- 1 root root 0 Jan 25 03:42 /run/snapd.socket
```

Interesting. We can use the Linux “nc” tool (as long as it is the BSD flavor) to connect to AF_UNIX sockets like these. The following is an example of connecting to one of these sockets and simply hitting enter.

```
$ nc -U /run/snapd.socket

HTTP/1.1 400 Bad Request
Content-Type: text/plain; charset=utf-8
Connection: close

400 Bad Request
```

Even more interesting. One of the first things an attacker will do when compromising a machine is to look for hidden services that are running in the context of root. HTTP servers are prime candidates for exploitation, but they are usually found on network sockets, possibly attached to 127.0.0.1.

This is enough information now to know that we have a good target for exploitation – a hidden HTTP service that is likely not widely tested as it is not readily apparent using most automated privilege escalation checks.

Credits

Chris Moberly

Reference(s)

Local privilege escalation via snapd socket
https://bugs.launchpad.net/snapd/+bug/1813365

USN-3887-1: snapd vulnerability
https://usn.ubuntu.com/3887-1/

Privilege Escalation in Ubuntu Linux (dirty_sock exploit)
https://initblog.com/2019/dirty-sock/

CVE-2019-6975
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6975

CVE-2019-6975
https://nvd.nist.gov/vuln/detail/CVE-2019-6975

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: February 12, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.