2020-05-22 05:55:48 |
James Henstridge |
bug |
|
|
added bug |
2020-05-22 05:55:48 |
James Henstridge |
attachment added |
|
xdg-open-exploit_0.1_all.snap https://bugs.launchpad.net/bugs/1880085/+attachment/5375453/+files/xdg-open-exploit_0.1_all.snap |
|
2020-05-22 05:57:10 |
James Henstridge |
attachment added |
|
xdg-open-exploit.tar.gz https://bugs.launchpad.net/snapd/+bug/1880085/+attachment/5375459/+files/xdg-open-exploit.tar.gz |
|
2020-05-22 05:57:41 |
James Henstridge |
bug |
|
|
added subscriber Jamie Strandboge |
2020-05-22 05:58:02 |
James Henstridge |
bug |
|
|
added subscriber Samuele Pedroni |
2020-05-22 05:58:15 |
James Henstridge |
bug |
|
|
added subscriber Ken VanDine |
2020-05-22 06:01:27 |
James Henstridge |
description |
snap userd's OpenURL implementation alters the value of $XDG_DATA_DIRS to include a directory controlled by the calling snap before calling /usr/bin/xdg-open:
https://github.com/snapcore/snapd/blob/7f678b92/usersession/userd/launcher.go#L109-L113
This allows the snap to control how the URL will be opened, including having executables provided by the snap run outside of confinement.
Attached is an example snap demonstrating the exploit. It works as follows:
1. the snap provides a single command plugging the desktop interface that calls "xdg-open help://whatever"
2. userd invokes the host system /usr/bin/xdg-open with $SNAP/usr/share/applications at the start of $XDG_DATA_DIRS.
3. under $SNAP/usr/share/applications, we have a yelp.desktop file whose Exec line points to an "outside-sandbox.sh" script shipped with the snap, and a mimeapps.list file to set it as the default handler for the "help:" scheme.
4. the "outside-sandbox.sh" script is executed without confinement and writes a file /tmp/foo.txt
This file can be seen in the host system /tmp rather than the snap's private /tmp, demonstrating that it was run outside the sandbox. |
snap userd's OpenURL implementation alters the value of $XDG_DATA_DIRS to include a directory controlled by the calling snap before calling /usr/bin/xdg-open:
https://github.com/snapcore/snapd/blob/7f678b92/usersession/userd/launcher.go#L109-L113
This allows the snap to control how the URL will be opened, including having executables provided by the snap run outside of confinement.
Attached is an example snap demonstrating the exploit. It works as follows:
1. the snap provides a single command plugging the desktop interface that calls "xdg-open help://whatever"
2. userd invokes the host system /usr/bin/xdg-open with $SNAP/usr/share/applications at the start of $XDG_DATA_DIRS.
3. under $SNAP/usr/share/applications, we have a yelp.desktop file whose Exec line points to an "outside-sandbox.sh" script shipped with the snap, and a mimeapps.list file to set it as the default handler for the "help:" scheme.
4. the "outside-sandbox.sh" script is executed without confinement and writes a file /tmp/foo.txt
This file can be seen in the host system /tmp rather than the snap's private /tmp, demonstrating that it was run outside the sandbox.
Note that this isn't restricted to the "help:" URI scheme: it's just more likely to succeed, since users are unlikely to override the default handler. |
|
2020-05-23 00:28:13 |
Seth Arnold |
cve linked |
|
2020-11934 |
|
2020-05-28 08:11:01 |
James Henstridge |
bug |
|
|
added subscriber Zygmunt Krynicki |
2020-05-28 08:11:17 |
James Henstridge |
bug |
|
|
added subscriber Maciej Borzecki |
2020-06-02 04:45:10 |
James Henstridge |
attachment added |
|
0001-usersession-userd-do-not-modify-XDG_DATA_DIRS-when-c.patch https://bugs.launchpad.net/snapd/+bug/1880085/+attachment/5379652/+files/0001-usersession-userd-do-not-modify-XDG_DATA_DIRS-when-c.patch |
|
2020-06-08 09:41:04 |
Samuele Pedroni |
snapd: status |
New |
In Progress |
|
2020-06-08 17:28:06 |
Jamie Strandboge |
bug task added |
|
snapd (Ubuntu) |
|
2020-06-08 17:28:23 |
Jamie Strandboge |
nominated for series |
|
Ubuntu Trusty |
|
2020-06-08 17:28:23 |
Jamie Strandboge |
bug task added |
|
snapd (Ubuntu Trusty) |
|
2020-06-08 17:28:23 |
Jamie Strandboge |
nominated for series |
|
Ubuntu Groovy |
|
2020-06-08 17:28:23 |
Jamie Strandboge |
bug task added |
|
snapd (Ubuntu Groovy) |
|
2020-06-08 17:28:23 |
Jamie Strandboge |
nominated for series |
|
Ubuntu Xenial |
|
2020-06-08 17:28:23 |
Jamie Strandboge |
bug task added |
|
snapd (Ubuntu Xenial) |
|
2020-06-08 17:28:23 |
Jamie Strandboge |
nominated for series |
|
Ubuntu Bionic |
|
2020-06-08 17:28:23 |
Jamie Strandboge |
bug task added |
|
snapd (Ubuntu Bionic) |
|
2020-06-08 17:28:23 |
Jamie Strandboge |
nominated for series |
|
Ubuntu Eoan |
|
2020-06-08 17:28:23 |
Jamie Strandboge |
bug task added |
|
snapd (Ubuntu Eoan) |
|
2020-06-08 17:28:23 |
Jamie Strandboge |
nominated for series |
|
Ubuntu Focal |
|
2020-06-08 17:28:23 |
Jamie Strandboge |
bug task added |
|
snapd (Ubuntu Focal) |
|
2020-06-08 17:30:05 |
Jamie Strandboge |
snapd (Ubuntu Trusty): status |
New |
Won't Fix |
|
2020-06-08 17:30:15 |
Jamie Strandboge |
snapd (Ubuntu Groovy): status |
New |
Triaged |
|
2020-06-08 17:30:17 |
Jamie Strandboge |
snapd (Ubuntu Focal): status |
New |
Triaged |
|
2020-06-08 17:30:19 |
Jamie Strandboge |
snapd (Ubuntu Eoan): status |
New |
Triaged |
|
2020-06-08 17:30:21 |
Jamie Strandboge |
snapd (Ubuntu Bionic): status |
New |
Triaged |
|
2020-06-08 17:30:23 |
Jamie Strandboge |
snapd (Ubuntu Xenial): status |
New |
Triaged |
|
2020-06-08 17:30:50 |
Jamie Strandboge |
snapd (Ubuntu Xenial): assignee |
|
Maria Emilia Torino (emitorino) |
|
2020-06-08 17:31:11 |
Jamie Strandboge |
snapd (Ubuntu Bionic): assignee |
|
Maria Emilia Torino (emitorino) |
|
2020-06-08 17:31:22 |
Jamie Strandboge |
snapd (Ubuntu Eoan): assignee |
|
Maria Emilia Torino (emitorino) |
|
2020-06-08 17:31:31 |
Jamie Strandboge |
snapd (Ubuntu Focal): assignee |
|
Maria Emilia Torino (emitorino) |
|
2020-06-10 10:49:41 |
Michael Vogt |
bug |
|
|
added subscriber William Grant |
2020-07-15 12:01:01 |
Launchpad Janitor |
snapd (Ubuntu Focal): status |
Triaged |
Fix Released |
|
2020-07-15 12:01:02 |
Launchpad Janitor |
snapd (Ubuntu Eoan): status |
Triaged |
Fix Released |
|
2020-07-15 12:01:05 |
Launchpad Janitor |
snapd (Ubuntu Bionic): status |
Triaged |
Fix Released |
|
2020-07-15 12:11:12 |
Launchpad Janitor |
snapd (Ubuntu Xenial): status |
Triaged |
Fix Released |
|
2020-07-16 21:24:18 |
Emilia Torino |
information type |
Private Security |
Public |
|
2020-07-16 22:04:14 |
Emilia Torino |
information type |
Public |
Public Security |
|
2020-07-17 00:29:00 |
Ubuntu Foundations Team Bug Bot |
tags |
|
patch |
|
2020-07-17 00:29:09 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Review Team |
2020-08-08 02:38:47 |
Launchpad Janitor |
snapd (Ubuntu Groovy): status |
Triaged |
Fix Released |
|
2020-09-29 12:31:07 |
Zygmunt Krynicki |
snapd: status |
In Progress |
Fix Released |
|