Security researcher Chris Moberly discovered a vulnerability in the REST API for Canonical’s
Canonical, the makers of Ubuntu Linux, promotes their “Snap” packages to roll all application dependencies into a single binary (similar to Windows applications).
The Snap environment includes an “app store” where developers can contribute and maintain ready-to-go packages.
“Management of locally installed snaps and communication with this online store are partially handled by a
The flaw called ‘Dirty_Sock’ would affect affects several Linux servers, the expert successfully tested on Ubuntu and released
“In January 2019, I discovered a privilege escalation vulnerability in default installations of Ubuntu Linux. This was due to a bug in the snapd API, a default service. Any local user could exploit this vulnerability to obtain immediate root access to the system.” wrote the expert.
“Two working exploits are provided in the dirty_sock repository:
“Both are effective on default installations of Ubuntu.”
Canonical has already addressed the flaw, administrators need to install the
“Chris Moberly discovered that
“A local attacker could use this to access privileged socket APIs and obtain administrator privileges. On Ubuntu systems with snaps installed,
Moberly discovered that the daemon leverages UNIX sockets to allow developers to communicate with it using a REST API.
This UNIX socket runs under the security context of the root user, so the expert investigated the possibility to elevate his privileges by abusing API methods.
The researcher discovered that it is possible to create a local user account using the daemon’s “POST /v2/create-user” API. This API command requires the program to have root permission to create a user.
The analysis of
Where the @ substring represents the RemoteAddr of the
Moberly created a socket
Parsing a string containing the uid=0 is the last part will allow overwriting the previous
The expert published the “dirty_sockv1” PoC code for this attack, but he pointed out that the attack required an Internet connection and the creation of an account on the Ubuntu SSO and uploading an SSH public key to your profile.
The expert also devised a Dirty_Sock version 2 that sees sideloads a malicious snap using the ‘POST /v2/snaps’ API instead.
“dirty_sockv2 instead uses the ‘POST /v2/snaps’ API to sideload a snap containing a bash script that will add a local user. This works on systems that do not have the SSH service running. It also works on newer Ubuntu versions with no Internet connection at all.” continues the expert.
“HOWEVER, sideloading does require some core snap pieces to be there. If they are not there, this exploit may trigger an update of the
Canonical fixed the issue with the release of the 2.37.1.