Linux Privilege Escalation via snapd (dirty_sock exploit)

2019.02.24
Risk: High
Local: Yes
Remote: No
CWE: CWE-20


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

In January 2019, Chris Moberly discovered a privilege escalation vulnerability in default installations of Ubuntu Linux. This was due to a bug in the snapd API, a default service. Any local user could exploit this vulnerability to obtain immediate root access to the system. While Ubuntu happens to include snapd by default, any Linux system with this package installed is vulnerable. Two working exploits are provided in the dirty_sock repository (https://github.com/initstring/dirty_sock): dirty_sockv1: Uses the ‘create-user’ API to create a local user based on details queried from the Ubuntu SSO. dirty_sockv2: Sideloads a Snap that contains an install-hook that generates a new local user. Both are effective on default installations of Ubuntu. Testing was mostly completed on 18.10, but older versions are vulnerable as well.

References:

A full technical write-up is available in the blog posting here:
https://initblog.com/2019/dirty-sock/
The bug tracker for the initial report, including credit to the researcher, can be found here:
https://bugs.launchpad.net/snapd/+bug/1813365


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top