snapd

snap userd's OpenURL method allows sandox escape

Bug #1880085 reported by James Henstridge
270
This bug affects 1 person
Affects Status Importance Assigned to Milestone
snapd
Fix Released
Undecided
Unassigned
snapd (Ubuntu)
Fix Released
Undecided
Unassigned
Trusty
Won't Fix
Undecided
Unassigned
Xenial
Fix Released
Undecided
Emilia Torino
Bionic
Fix Released
Undecided
Emilia Torino
Eoan
Fix Released
Undecided
Emilia Torino
Focal
Fix Released
Undecided
Emilia Torino
Groovy
Fix Released
Undecided
Unassigned

Bug Description

snap userd's OpenURL implementation alters the value of $XDG_DATA_DIRS to include a directory controlled by the calling snap before calling /usr/bin/xdg-open:

https://github.com/snapcore/snapd/blob/7f678b92/usersession/userd/launcher.go#L109-L113

This allows the snap to control how the URL will be opened, including having executables provided by the snap run outside of confinement.

Attached is an example snap demonstrating the exploit. It works as follows:

1. the snap provides a single command plugging the desktop interface that calls "xdg-open help://whatever"

2. userd invokes the host system /usr/bin/xdg-open with $SNAP/usr/share/applications at the start of $XDG_DATA_DIRS.

3. under $SNAP/usr/share/applications, we have a yelp.desktop file whose Exec line points to an "outside-sandbox.sh" script shipped with the snap, and a mimeapps.list file to set it as the default handler for the "help:" scheme.

4. the "outside-sandbox.sh" script is executed without confinement and writes a file /tmp/foo.txt

This file can be seen in the host system /tmp rather than the snap's private /tmp, demonstrating that it was run outside the sandbox.

Note that this isn't restricted to the "help:" URI scheme: it's just more likely to succeed, since users are unlikely to override the default handler.

See original description
Tags: patch

CVE References

Revision history for this message
James Henstridge (jamesh) wrote :
Revision history for this message
James Henstridge (jamesh) wrote :

The Snapcraft project used to build the exploit snap.

description: updated
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks James. snapd team, this will require a deb update, USN and cross-distro updates. I'll send a coordinating email.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Please use CVE-2020-11934 for this issue. Thanks.

Revision history for this message
James Henstridge (jamesh) wrote :

Attached is a patch to remove the offending code from userd. This does not include the packaging changes needed to release new snaps or debs.

Samuele Pedroni (pedronis)
Changed in snapd:
status: New → In Progress
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Marking the trusty task as "won't fix" per https://wiki.ubuntu.com/SecurityTeam/ESM/14.04#Exclusions where snapd is supported on 14.04 ESM insofar as enabling livepatch and cvescan (neither of which use this API).

Changed in snapd (Ubuntu Trusty):
status: New → Won't Fix
Changed in snapd (Ubuntu Groovy):
status: New → Triaged
Changed in snapd (Ubuntu Focal):
status: New → Triaged
Changed in snapd (Ubuntu Eoan):
status: New → Triaged
Changed in snapd (Ubuntu Bionic):
status: New → Triaged
Changed in snapd (Ubuntu Xenial):
status: New → Triaged
assignee: nobody → Maria Emilia Torino (emitorino)
Changed in snapd (Ubuntu Bionic):
assignee: nobody → Maria Emilia Torino (emitorino)
Changed in snapd (Ubuntu Eoan):
assignee: nobody → Maria Emilia Torino (emitorino)
Changed in snapd (Ubuntu Focal):
assignee: nobody → Maria Emilia Torino (emitorino)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package snapd - 2.45.1+20.04.2

---------------
snapd (2.45.1+20.04.2) focal-security; urgency=medium

  * SECURITY UPDATE: sandbox escape vulnerability via snapctl user-open
    (xdg-open)
    - usersession/userd/launcher.go: remove XDG_DATA_DIRS environment
      variable modification when calling the system xdg-open. Patch
      thanks to James Henstridge
    - packaging/ubuntu-16.04/snapd.postinst: kill userd on upgrade so it
      may autostart on next use. Patch thanks to Michael Vogt
    - CVE-2020-11934
    - LP: #1880085

 -- Emilia Torino <email address hidden> Fri, 10 Jul 2020 10:59:20 -0300

Changed in snapd (Ubuntu Focal):
status: Triaged → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package snapd - 2.45.1+19.10.2

---------------
snapd (2.45.1+19.10.2) eoan-security; urgency=medium

  * SECURITY UPDATE: sandbox escape vulnerability via snapctl user-open
    (xdg-open)
    - usersession/userd/launcher.go: remove XDG_DATA_DIRS environment
      variable modification when calling the system xdg-open. Patch
      thanks to James Henstridge
    - packaging/ubuntu-16.04/snapd.postinst: kill userd on upgrade so it
      may autostart on next use. Patch thanks to Michael Vogt
    - CVE-2020-11934
    - LP: #1880085

 -- Emilia Torino <email address hidden> Fri, 10 Jul 2020 10:57:06 -0300

Changed in snapd (Ubuntu Eoan):
status: Triaged → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package snapd - 2.45.1+18.04.2

---------------
snapd (2.45.1+18.04.2) bionic-security; urgency=medium

  * SECURITY UPDATE: sandbox escape vulnerability via snapctl user-open
    (xdg-open)
    - usersession/userd/launcher.go: remove XDG_DATA_DIRS environment
      variable modification when calling the system xdg-open. Patch
      thanks to James Henstridge
    - packaging/ubuntu-16.04/snapd.postinst: kill userd on upgrade so it
      may autostart on next use. Patch thanks to Michael Vogt
    - CVE-2020-11934
    - LP: #1880085

 -- Emilia Torino <email address hidden> Fri, 10 Jul 2020 11:00:39 -0300

Changed in snapd (Ubuntu Bionic):
status: Triaged → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package snapd - 2.45.1ubuntu0.2

---------------
snapd (2.45.1ubuntu0.2) xenial-security; urgency=medium

  * SECURITY UPDATE: sandbox escape vulnerability via snapctl user-open
    (xdg-open)
    - usersession/userd/launcher.go: remove XDG_DATA_DIRS environment
      variable modification when calling the system xdg-open. Patch
      thanks to James Henstridge
    - packaging/ubuntu-16.04/snapd.postinst: kill userd on upgrade so it
      may autostart on next use. Patch thanks to Michael Vogt
    - CVE-2020-11934
    - LP: #1880085

 -- Emilia Torino <email address hidden> Fri, 10 Jul 2020 10:40:52 -0300

Changed in snapd (Ubuntu Xenial):
status: Triaged → Fix Released
Emilia Torino (emitorino)
information type: Private Security → Public
Emilia Torino (emitorino)
information type: Public → Public Security
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "0001-usersession-userd-do-not-modify-XDG_DATA_DIRS-when-c.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package snapd - 2.46~pre1.gitaf15176

---------------
snapd (2.46~pre1.gitaf15176) groovy; urgency=medium

  * New git snapshot for the upcoming 2.46 release

 -- Michael Vogt <email address hidden> Fri, 07 Aug 2020 09:15:31 +0200

Changed in snapd (Ubuntu Groovy):
status: Triaged → Fix Released
Revision history for this message
Zygmunt Krynicki (zyga) wrote :

This was released a while ago, the upstream task was stale.

Changed in snapd:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.