In January 2019, Chris Moberly discovered a privilege escalation vulnerability in default installations of Ubuntu Linux. This was due to a bug in the snapd API, a default service. Any local user could exploit this vulnerability to obtain immediate root access to the system.
While Ubuntu happens to include snapd by default, any Linux system with this package installed is vulnerable.
Two working exploits are provided in the dirty_sock repository (https://github.com/initstring/dirty_sock):
dirty_sockv1: Uses the ‘create-user’ API to create a local user based on details queried from the Ubuntu SSO.
dirty_sockv2: Sideloads a Snap that contains an install-hook that generates a new local user.
Both are effective on default installations of Ubuntu. Testing was mostly completed on 18.10, but older versions are vulnerable as well.
References:
A full technical write-up is available in the blog posting here:
https://initblog.com/2019/dirty-sock/
The bug tracker for the initial report, including credit to the researcher, can be found here: