Ubuntu and other Linux distribution recently became a victim of a severe privilege escalation vulnerability. Named as the Dirty Sock because it revolves around handling sockets that allows the attacker to gain root level access to the system. The privilege escalation is local and was found in Canonicals Snapd package.
A security researcher Chris Moberly who uncovered the vulnerability said that vulnerability “dirty sock” does not actually exist in Ubuntu operating system but it is found in Snapd. Linux users use Snapd to download and install application in snap format. Chris Moberly added that the vulnerability (CVE-2019-7304) is actually residing in Snapd API. Which is installed in Ubuntu by default both in server and desktop versions
The vulnerability “Dirty Socket” doesn’t allow the attacker to gain control of the system remotely. But once the attacker has grabbed any unpatched system they can convert a simple vulnerability into an intrusive hack. From which the attacker can gain complete control over the operating system. In other words the Dirty socket lets the hacker to create super user root level access.
The first thing the attacker would do to compromise a machine is to look into ways to find hidden services which are running in the context of root. HTTP are easy targets for exploitation because they are usually found on network sockets. The attacker uses two methods to exploit.
Mr Moberly published on Github that included two samples exploits that can provide a hacker to make a new root-level account.
In the first method which is called “dirty_Sockv1”. The hacker bypasses access control and will try to use restricted API function (POST /v2/create-user) from the local Snapd services. Interacting during the installation of new apps through (snaps).
Which results in asking a query from Ubuntu SSO for username and public SSH key of a provided email address and after gaining that information it will create a local user using these values. The negative aspect of this method is that for successful exploitation it needs an internet connection and a SSH service that is accessible through host.
The second socket named respectively dirty_sockv2 like the first one will try to use a restricted API function this time POST /v2/snaps. By doing so it allows it to install arbitrary snaps. Dirty_sockv2 uses the vulnerability of installing an empty devmode snap which includes a hook and can add new users to the local system basically allowing the user to run sudo commands. Unlike dirty_sockv1 it does not need SSH service to be running and will work without any internet connection at all. Chris Moberly published two Proof of Concepts Code on Github in which He includes two examples explaining in detail how both methods works.
Snapd versions from 2.28 to 2.37 are all vulnerable to the dirty socket. Canonical Snapd developer have now released a new version of Snapd 2.37.1 to solve the issue.