Researchers from Aqua Security have discovered a potential security risk for users of the Ubuntu distribution. They found that the “Command-Not-Found” feature, which provides recommendations for missing programs in the system, relies on packages from the Snapcraft.io catalog in addition to regular repositories. This means that the recommendations can include packages added to the catalog by unverified users, potentially including malicious content.
In the catalog, an attacker could place a package with hidden malicious contents and a name that closely resembles existing Deb packets or popular utilities. For example, they could place a package named “TRACERT” or “TCPDAMP”, hoping that users will mistype “Tracerout” or “TCPDUMP”. If the user follows the recommendation from “Command-Not-Found”, they may unwittingly install harmful packages from Snapcraft.io.
Even if the user is cautious and chooses to install a package from Deb instead, the attacker can still trick them into choosing Snap. By naming the malicious package in a way that intersects with an existing Deb package, “Command-Not-Found” will provide recommendations for both Deb and Snap. The user may mistakenly assume that Snap is more secure or up-to-date and choose it over Deb.
The researchers also noted that applications in SNAP format undergo automatic reviewing in Snapcraft.io only within an isolated environment. This means that SNAP packages without insulation are only published after manual review. However, an attacker can still exploit the isolation by using the network connection in the isolated environment for activities such as cryptocurrency mining, DDOS attacks, or spam mailing.
In addition, the attacker can employ methods to bypass insulation in harmful packages. This can include incorporating vulnerabilities in the kernel and insulation mechanisms or using SNAP interfaces to access external resources for hidden recording or capturing keyboard inputs using the X11 protocol.