snap userd's OpenURL method allows sandox escape
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
snapd |
Fix Released
|
Undecided
|
Unassigned | ||
snapd (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Trusty |
Won't Fix
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Undecided
|
Emilia Torino | ||
Bionic |
Fix Released
|
Undecided
|
Emilia Torino | ||
Eoan |
Fix Released
|
Undecided
|
Emilia Torino | ||
Focal |
Fix Released
|
Undecided
|
Emilia Torino | ||
Groovy |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
snap userd's OpenURL implementation alters the value of $XDG_DATA_DIRS to include a directory controlled by the calling snap before calling /usr/bin/xdg-open:
https:/
This allows the snap to control how the URL will be opened, including having executables provided by the snap run outside of confinement.
Attached is an example snap demonstrating the exploit. It works as follows:
1. the snap provides a single command plugging the desktop interface that calls "xdg-open help://whatever"
2. userd invokes the host system /usr/bin/xdg-open with $SNAP/usr/
3. under $SNAP/usr/
4. the "outside-
This file can be seen in the host system /tmp rather than the snap's private /tmp, demonstrating that it was run outside the sandbox.
Note that this isn't restricted to the "help:" URI scheme: it's just more likely to succeed, since users are unlikely to override the default handler.
CVE References
Changed in snapd: | |
status: | New → In Progress |
information type: | Private Security → Public |
information type: | Public → Public Security |
The Snapcraft project used to build the exploit snap.