ubuntu-core-launcher uses incorrect glob, doesn't check for exactly one match

Bug #1576699 reported by Zygmunt Krynicki on 2016-04-29
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ubuntu-core-launcher (Ubuntu)
High
Jamie Strandboge
Xenial
High
Jamie Strandboge
Yakkety
High
Jamie Strandboge

Bug Description

A review of ubuntu-core-launcher code has found that setup_snappy_os_mounts() uses a glob with a potential for security exploit if the attacker can convince an user to install a malicious snap having a name starting with "ubuntu-core".

Due to the glob the launcher may, at random, depending on glob result ordering, choose to mount that snap instead of the real ubuntu-core snap into the filesystem namespace of all newly started application processes.

The bug is possible due to incorrect glob and due to incorrect size check.

CVE References

Zygmunt Krynicki (zyga) on 2016-04-29
description: updated
Tyler Hicks (tyhicks) wrote :

Great catch! The fix in comment #1 is not correct since we don't need to use glob() any longer.

Michael Vogt (mvo) on 2016-04-29
Changed in ubuntu-core-launcher (Ubuntu):
importance: Undecided → Critical
status: New → Triaged
Changed in ubuntu-core-launcher (Ubuntu):
importance: Critical → High
Michael Vogt (mvo) wrote :

I asked the store team to blacklist any "ubuntu-core.*" names in the store to counter this.

Michael Vogt (mvo) wrote :

Nessita told me there is no support to blacklist based on prefix or regexp (which is unfortunate). So we could make all snaps manual approval for now until this issue is solved. Not sure if that big hammer is needed given that you need to convince people first to run "sudo snap install ubuntu-core-evil" to exploit this. But I leave that decision to the experts :)

Zygmunt Krynicki (zyga) wrote :

Tyler is right, the glob is no longer required. I just aimed for a minimal path to highlight the problem.

Jamie Strandboge (jdstrand) wrote :

This deserves a CVE and it should be credited to Zygmunt Krynicki. This bug provides a delayed attack opportunity and at a minimum allows data theft since a crafted snap with crafted name (eg, ubuntu-core-evil, or similar) would have its binaries, libraries, etc bind mounted into all other snap application's runtime environment, which can be used to execute code (ie, to ship data off) within the context of other apps when those other apps run. The scope of the attack is limited to the security policy of the installed apps and their launch (meaning that an app with privileges (eg, network-control interface) could be used in a delayed attack to escalate privileges beyond those granted to the malicious snap).

This fix can be made much simpler-- skip all the glob code and just use /snap/ubuntu-core/current. We don't support .<origin> or .sideload any more so the glob is unneeded.

Zygmunt Krynicki (zyga) on 2016-04-29
description: updated
Marc Deslauriers (mdeslaur) wrote :

This is CVE-2016-1580

Jamie Strandboge (jdstrand) wrote :

FYI, I asked the store team to put all apps under manual review. Once the USN is published, we'll lift that.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-core-launcher - 1.0.27.1

---------------
ubuntu-core-launcher (1.0.27.1) xenial-security; urgency=medium

  * SECURITY UPDATE: delayed attack snap data theft and privilege escalation
    when using Snappy on traditional Ubuntu (classic) systems (LP: #1576699)
    - src/main.c: remove glob code and hardcode /snap/ubuntu-core/current
      instead. The glob code both used an improper glob and performed an
      incorrect check due to a typo which allowed a snap named ubuntu-core-...
      to be bind mounted into application runtimes instead of the ubuntu-core
      OS snap. Ubuntu Core removed .<origin> and .sideload from the SNAP path
      so the glob can simply be dropped.
    - CVE-2016-1580
  * debian/usr.bin.ubuntu-core-launcher:
    - only allow mounting /snap/ubuntu-core/*/... to safeguard against this in
      the future
    - add lib32 and libx32 to match setup_snappy_os_mounts()

 -- Jamie Strandboge <email address hidden> Fri, 29 Apr 2016 10:06:19 -0500

Changed in ubuntu-core-launcher (Ubuntu):
status: Triaged → Fix Released
Jamie Strandboge (jdstrand) wrote :

1.0.28 uploaded to yakkety.

Changed in ubuntu-core-launcher (Ubuntu Yakkety):
status: Fix Released → New
Changed in ubuntu-core-launcher (Ubuntu Xenial):
importance: Undecided → High
status: New → Fix Released
Changed in ubuntu-core-launcher (Ubuntu Yakkety):
status: New → In Progress
Changed in ubuntu-core-launcher (Ubuntu Xenial):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in ubuntu-core-launcher (Ubuntu Yakkety):
assignee: nobody → Jamie Strandboge (jdstrand)
information type: Private Security → Public Security
Changed in ubuntu-core-launcher (Ubuntu Yakkety):
status: In Progress → Fix Committed
Jamie Strandboge (jdstrand) wrote :

FYI, now that the USN is published, I asked the store team to lift manual review.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-core-launcher - 1.0.28

---------------
ubuntu-core-launcher (1.0.28) yakkety; urgency=medium

  * SECURITY UPDATE: delayed attack snap data theft and privilege escalation
    when using Snappy on traditional Ubuntu (classic) systems (LP: #1576699)
    - src/main.c: remove glob code and hardcode /snap/ubuntu-core/current
      instead. The glob code both used an improper glob and performed an
      incorrect check due to a typo which allowed a snap named ubuntu-core-...
      to be bind mounted into application runtimes instead of the ubuntu-core
      OS snap. Ubuntu Core removed .<origin> and .sideload from the SNAP path
      so the glob can simply be dropped.
    - CVE-2016-1580
  * debian/usr.bin.ubuntu-core-launcher:
    - only allow mounting /snap/ubuntu-core/*/... to safeguard against this in
      the future
    - add lib32 and libx32 to match setup_snappy_os_mounts()

 -- Jamie Strandboge <email address hidden> Fri, 29 Apr 2016 11:17:42 -0500

Changed in ubuntu-core-launcher (Ubuntu Yakkety):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers