[Bug 1813365] Re: Local privilege escalation via snapd socket
Thanks for the clarification, Chris. We're in complete agreement. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1813365 Title: Local privilege escalation via snapd socket To manage notifications about this bug go to: https://bugs.launchpad.net/snapd/+bug/1813365/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1813365] Re: Local privilege escalation via snapd socket
^ Sorry, just to add clarity: I am not demonstrating the exploit working from within a devmode snap. I am demonstrating a devmode snap packaged inside the exploit. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1813365 Title: Local privilege escalation via snapd socket To manage notifications about this bug go to: https://bugs.launchpad.net/snapd/+bug/1813365/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1813365] Re: Local privilege escalation via snapd socket
Hi Gustavo, Yes, but remember that this is a low-privilege user exploiting the bug in order to install a snap in devmode to get root. This does indeed require an exploit, so that the install hook can execute the commands as root and add a new user. It's simply an alternative exploit to using the create-user API. You can see the code at github.com/initstring/dirty_sock/ in the version 2. Some of the tech journalists covering this incorrectly claimed that my exploit would be bundled inside malicious snaps. This is where there is a bit of confusion, as you're 100% right - that snap would not have access to the socket, so that is not realistic. I've tried to correct folks where I can, but I think my blog posting is still correctly describing things. If you see something specific in the blog posting that should be corrected, please let me know. Thanks! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1813365 Title: Local privilege escalation via snapd socket To manage notifications about this bug go to: https://bugs.launchpad.net/snapd/+bug/1813365/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1813365] Re: Local privilege escalation via snapd socket
Chris, I've just read your blog post at: https://shenaniganslabs.io/2019/02/13/Dirty-Sock.html There you install a snap in devmode, which does a bunch of things to demonstrate that the snap can access system resources via the vulnerability in <2.37. Just for the record, it's slightly undue to claim that the snap is exploiting the system in that scenario, because a snap in devmode already has full access to the system anyway. No need for any exploits. If you install a snap in devmode, you gave root to the snap: --devmode Put snap in development mode and disable security confinement If the snap was installed without devmode, it wouldn't not have access to the socket. Again, thanks for the report. Just wanted to clarify this point. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1813365 Title: Local privilege escalation via snapd socket To manage notifications about this bug go to: https://bugs.launchpad.net/snapd/+bug/1813365/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1813365] Re: Local privilege escalation via snapd socket
Thanks again to everyone for your hard work, timely updates, and overall providing such a great disclosure experience. See you next time! - Chris -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1813365 Title: Local privilege escalation via snapd socket To manage notifications about this bug go to: https://bugs.launchpad.net/snapd/+bug/1813365/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1813365] Re: Local privilege escalation via snapd socket
This is now public: - https://usn.ubuntu.com/3887-1/ - https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SnapSocketParsing ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1813365 Title: Local privilege escalation via snapd socket To manage notifications about this bug go to: https://bugs.launchpad.net/snapd/+bug/1813365/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs