CVE-2019-7304 Ubuntu Linux Privilege Escalation Vulnerability Reproduced

In January 2019, foreign security personnel discovered a privilege escalation vulnerability in the default installation of Ubuntu Linux. This is due to a bug in the snapd API, which is a default service. Any local user can use this vulnerability to gain direct root access to the system, CVE number CVE-2019-7304.

In order to simplify packaging applications on Linux systems, various new competing standards are emerging. Canonical, the manufacturer of Ubuntu Linux, is promoting their "Snap" package. This is a way to convert all application dependencies into a single binary file-similar to a Windows application.

The Snap ecosystem includes an "app store" where developers can contribute and maintain ready-to-use software packages.

The part of managing the locally installed Snap and the communication with this online store is handled by a system service called "snapd". This service is automatically installed in Ubuntu and runs in the context of the "root" user. Snapd is developing into an important part of the Ubuntu operating system, especially in the streamlined rotation of "Snappy Ubuntu Core" for cloud and Internet of Things.

0 X1 vulnerability description

Snapd provides a REST API attached to the local UNIX_AF socket. Access control to restricted API functions is accomplished by querying the UID associated with any connection of the socket. During the string parsing in the for loop, the user-controlled socket peer data may be affected to overwrite the UID variable. This allows any user to access any API function.

There are many ways to get root by accessing the API. Two possibilities are mentioned below:

  1. Use the "create-user" API to create a local user based on the detailed information queried from Ubuntu SSO.

  2. Sideloads Snap includes an install-hook to generate new local users.

This impact version:

Ubuntu 18.10

Ubuntu 18.04 LTS

Ubuntu 16.04 LTS

Ubuntu 14.04 LTS

0 X2 environment construction

Experimental environment Ubuntu16.04

Then download the POC code:

https://github.com/initstring/dirty_sock

Log in to Ubuntu: https://login.ubuntu.com

Then generate a secret key locally:

ssh-keygen -t rsa -C ""

Then go to ./.ssh and copy id_rsa.pub (public key) to the ssh_key of your account

0 X2 exploit

Start testing with the first script in the downloaded poc code file:

Directly use script 1 to conduct a privilege escalation attack:

The display is successful, but ssh is not started, so the connection fails, and the display fails again!

Use script 2 to succeed:

Successfully add account dirty_sock, check its information, and find that it has sudo permission:

Right escalation succeeded!

Going back to the first privilege escalation, I found that the version of snap has been updated:

The official fix is to upgrade snap to 2.37.1 or above, so script 1 fails to use! But we have already added users using script 2, so backdoor users exist. Therefore, users of Ubuntu systems need to update and upgrade as soon as possible!

Reference article:

https://github.com/SecuritySi/CVE-2019-7304_DirtySock

http://www.4hou.com/vulnerable/16181.html

https://github.com/initstring/dirty_sock

Recommended Posts

CVE-2019-7304 Ubuntu Linux Privilege Escalation Vulnerability Reproduced
CVE-2017-16995-Ubuntu local privilege escalation vulnerability reproduced
Linux (ubuntu 12.04)
Ubuntu Linux study notes