Qualys revealed two vulnerability ( CVE-2021-44731 , cve-2021-44730 ) In the utility SNAP-CONFINE supplied with the SUID ROOT flag and the called SNAPD process to form an executable environment for applications supplied in self-sufficient packages in SNAP format. Vulnerabilities allow the local unprivileged user to achieve the execution of the ROOT code in the system. Problems Eliminated In today’s update of Snapd packages for Ubuntu 21.10, 20.04 and 18.04.
The first vulnerability (CVE-2021-44730) allows you to make an attack through the manipulation of hard links, but requires disconnecting the systemic protection of hard links (installations of SYSTL FS.Protected_hardLinks at 0). The problem is caused by incorrect checking for the location of executable files of SNAP-UPDATE-NS and SNAP-DISCARD-NS, running with root rights. The path to these files was calculated in the SC_Open_Snapd_tool () function based on your own path from / Proc / Self / EXE, which made it possible to create a hard reference to Snap-Confine in its directory and place your Snap-Update-NS and SNAP utilities in this directory. Discard-NS. After starting, the Snap-confine starts the Snap-Update-NS and SNAP-DISCARD-NS files from the current directory with root links from the current directory attached to the attacker.
The second vulnerability is caused by the status of the race and can be operated in the default Ubuntu Desktop configuration. For successful exploit operation, Ubuntu Server requires a selection when installing one of the packages from the “Featured Server Snaps” section. The status of the race is manifested in the setup_private_mount () function caused during the preparation of the namespace space of the mount points for the SNAP package. This function creates a temporary directory “/tmp/snap.$snap_name/tmp” or uses the directory to the package in the Snap package already existing for the BIND-mount.
Since the name of the temporary directory is predictable, the attacker can replace its contents on a symbolic link at the time after checking the owner, but before referring to the MOUNT system call. For example, you can create a /tmp/snap.lxd “/tmp/snap.lxd/tmp” directory, indicating an arbitrary directory, and the Mount () call will follow the symbolic link and configures the directory in the SNAP namespace. In this way, you can mount your contents in / var / lib and via replacing /var/lib/snapd/mount/snap.snap-store.user-fstab to organize the mounting of your directory / etc in the SNAP packet namespace for substitution of your / etc / ld.so.preload.