[BreachExchange] Attackers Gain Root Access on Linux Systems via Dirty Sock Vulnerability

Destry Winant destry at riskbasedsecurity.com
Wed Feb 13 10:09:32 EST 2019


https://hackercombat.com/attackers-gain-root-access-on-linux-systems-via-dirty-sock-vulnerability/

An article on ZedNet reads how a security researcher published
proof-of-concept (PoC) code for a vulnerability impacting Ubuntu and
other Linux distros.

Canonical, the parent company of Ubuntu operating system, has released
a patch (USN-3887-1) for this issue yesterday, in advance of the
published PoC.

Chris Moberly discovered the vulnerability at the end of January.
Moberly is a security researcher for Shenanigans Labs and has worked
with the Canonical team to have it fixed. According to him “the
vulnerability, doesn’t allow hackers to break into vulnerable machines
remotely, but once attackers get his hands on any unpatched system
they can turn a simple intrusion into a bad hack and have complete
control over the OS.

Technically, a Dirty Sock is a local privilege flaw that lets hackers
create root-level accounts.

The actual vulnerability is in the Snapd daemon that comes as a
default with all recent Ubuntu versions the, so this isn’t the problem
with Ubuntu operating system itself. You see these flaws in some other
Linux distros.

Developed and used by Canonical for Ubuntu apps- Snapd is the daemon
that manages “snaps,” since 2014. Snapd lets users download and
install apps in the .snap file format.

Moberly says that Snapd exposes a local REST API server that snap
packages (and the official Ubuntu Snap Store) interact with during the
installation of new apps (snaps).

The researcher says he identified a way to skirt the access control
restrictions imposed on this API server and gain access to all API
functions, including the ones restricted for the root user.

As shown in the Proof-of-concept code includes two example exploits
that can be used to abuse this API and create new root-level accounts.

The malicious code to exploit this vulnerability can be run directly
on an infected host or can be hidden inside malicious snap packages
–some of which have been known to make their way on the Ubuntu Snap
Store in the past.

Snapd versions 2.28 through 2.37 are all vulnerable to the Dirty Sock
exploit. Moberly reported the issue to Canonical, Snapd’s developer,
who released Snapd version 2.37.1 this week to address the issue.

At the same time, Canonical also released security updates for the
Ubuntu Linux OS, for which the Snapd package was initially developed
and where it’s included and enabled by default.

Other Linux distros that use Snapd also shipped security updates, such
as Debian, Arch Linux, OpenSUSE, Solus, and Fedora.


More information about the BreachExchange mailing list