Shulou(Shulou.com)06/01 Report--

This article focuses on "Linux package manager snap local rights loophole analysis", interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Next let the editor to take you to learn "Linux package manager snap local rights loophole analysis"!

0x00 vulnerability background

Snap is a package management software on Linux system. It is pre-installed into the system by default after Ubuntu18.04. On February 13, 2019, Chris Moberly disclosed the details of the vulnerability of the REST API service provided in the service process snapd using the snap package management tool due to problems with requesting client authentication. The following is a screenshot of a successful claim using the disclosed exp.

Impact of 0x01 vulnerabilities

This vulnerability can be exploited to allow ordinary users to send requests to REST API provided by snapd disguised as root users. Attackers can use carefully constructed installation scripts or Ubuntu SSO to give ordinary users who do not have sudo rights the right to execute sudo, thus gaining the ability to upgrade to root user privileges and achieve the effect of local rights promotion.

Details of 0x02 vulnerability

Snapd is a service process of the snap package manager. It runs in the background with root user rights and allows ordinary users to communicate with it and provide services in the form of UNIX sockets, some of which require user identity authentication (uid) to perform. The code that gets the client information will eventually use the ucrednetGet (following) function to obtain the client user id. In this function, the string remoteAddr will be pressed by ";" to find the "uid=" string to determine the current user's uid. Usually, the remoteAddr is roughly in the format of "pid=5100;uid=1002;socket=/run/snapd.socket;@". As you can see from the code logic, the "uid=" result that appears later overrides the previous uid. An attacker can take advantage of this by constructing a UNIX socket binding address, such as "/ tmp/sock;uid=0;". To achieve the purpose of masquerading root users to send requests. And then through the snapd to perform some privileged operations to achieve the purpose of lifting rights.

Func ucrednetGet (remoteAddr string) (pid uint32, uid uint32, socket string, err error) {

...

For _, token: = range strings.Split (remoteAddr, ";") {

Var v uint64

...

} else if strings.HasPrefix (token, "uid=") {

If v, err = strconv.ParseUint (token [4:], 10,32); err = = nil {

Uid = uint32 (v)

} else {

Break

}

0x03 repair recommendation

At present, the details of the vulnerability have been disclosed and the authorities have fixed it in 2.37.1. Ubuntu users can upgrade snap to the latest version through apt update & & apt-get install snap to fix it.

At this point, I believe that everyone on the "Linux package manager snap local rights loophole analysis" have a deeper understanding, might as well to the actual operation of it! Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.