Qualys unveiled the news that I identify two vulnerabilities (CVE-2021-44731 and CVE-2021-44730) in the snap-confine utility, sent with the root SUID flag and called by the snapd process to generate an executable environment for applications distributed in snap packages.
In the blog post it is mentioned that vulnerabilities allow an unprivileged local user to achieve code execution as root in the system.
The first vulnerability allows a physical link manipulation attack, but requires disabling system hardlinks protection (by setting sysctl fs.protected_hardlinks to 0).
The problem it is due to an incorrect verification of the location of the executables of the snap-update-ns and snap-discard-ns utilities that run as root. The path to these files was calculated in the sc_open_snapd_tool() function based on its own path from /proc/self/exe, allowing you to create a hard link to confine in your directory and put your options to snap-update-ns and snap-discard-ns in this directory. When launched from a hard link, snap-confine as root will execute the attacker-substituted snap-update-ns and snap-discard-ns files from the current directory.
Successful exploitation of this vulnerability allows any non-privileged user to gain root privileges on the vulnerable host. Qualys security researchers have been able to independently verify the vulnerability, develop an exploit, and gain full root privileges on default Ubuntu installations.
As soon as the Qualys research team confirmed the vulnerability, we engaged in responsible vulnerability disclosure and coordinated with vendor and open source distributions to announce this newly discovered vulnerability.
The second vulnerability is caused by a race condition and can be exploited in the default Ubuntu desktop configuration. For the exploit to work successfully on Ubuntu Server, you must select one of the packages from the "Featured Server Snaps" section during installation.
race condition manifests in the setup_private_mount() function called during preparation of the mount point namespace for the instant package. This function creates a temporary directory "/tmp/snap.$SNAP_NAME/tmp" or uses an existing one to link and mount directories for the snap package to it.
Since the name of the temporary directory is predictable, an attacker can change its contents to a symbolic link after verifying the owner, but before calling the mount system. For example, you can create a symlink "/tmp/snap.lxd/tmp" in the /tmp/snap.lxd directory that points to an arbitrary directory and the mount() call will follow the symlink and mount the directory in the space of names.
Similarly, you can mount its contents in /var/lib and, overriding /var/lib/snapd/mount/snap.snap-store.user-fstab, arrange to mount your /etc directory in the package namespace snap to load your library from root access by replacing /etc/ld.so.preload.
It is observed that creating an exploit turned out to be a non-trivial task, since the snap-confine utility is written using secure programming techniques (snapd is written in Go, but C is used for snap-confine), has protection based on AppArmor profiles, filters system calls based on the seccomp mechanism and uses a mount namespace for isolation.
However, the researchers were able to prepare a functional exploit to get root access on the system. The exploit code will be released a few weeks after users install the provided updates.
Finally, it is worth mentioning thatThe problems were fixed in the snapd package update for Ubuntu versions 21.10, 20.04 and 18.04.
In addition to the other distributions that make use of Snap, Snapd 2.54.3 has been released, which, in addition to the above problems, fixes another vulnerability (CVE-2021-4120), which allows, when installing specially designed plugin packages, override arbitrary AppArmor rules and bypass the access restrictions set for the package.
If you are interested in knowing more about it, you can check the details In the following link.