Few days ago Qualys released the news that it has identified a serious vulnerabilitye (already cataloged under CVE-2022-3328) in the snap-confine utility, which is shipped with the root SUID flag and is called by the snapd process to form an executable environment for applications distributed in snap-format packages.
The vulnerability is said to allow an unprivileged local user to achieve code execution as root in Ubuntu's default configuration.
Interestingly, the vulnerability in question was introduced in the process of fixing a similar vulnerability from February in a snap-confine.
What impact does CVE-2022-3328 have?
Qualys details in its report that the snap-confine vulnerability is caused by a race condition in the must_mkdir_and_open_with_perms() function, added to protect against replacing the directory /tmp/snap.$SNAP_NAME with a symlink after owner verification, but before the mount system call is called to bind mount directories into it for a package in span format .
Added security was to rename the /tmp/snap.$SNAP_NAME directory to another directory in /tmp with a random name if it exists and is not owned by root.
By exploiting the rename operation from the /tmp/snap.$SNAP_NAME directory, the researchers took advantage of the fact that snap-confine also creates a directory /tmp/snap.rootfs_x for the contents of the snap package. mkdtemp() which randomly chooses the "x" part of the name, but a package named "rootfs_x" can pass through sc_instance_name_validate (ie the idea is to have $SNAP_NAME set to "rootfs_x" and then the rename operation will result in the /tmp/snap.rootfs_x directory being overwritten by root on snap).
To achieve simultaneous use from /tmp/snap.rootfs_xx and renaming /tmp/snap.$SNAP_NAME, two instances of snap-confine were started.
As soon as the first instance created /tmp/snap.rootfs_xx the process was blocked and a second instance was started with the package name rootfs_x, which caused the second instance's temporary directory /tmp/snap.$SNAP_NAME to become /tmp/snap .rootfs_x (root directory) of the first instance.
Immediately after performing the name change, the second instance failed and /tmp/snap.rootfs_x was replaced with race condition manipulation, as in the February exploit. After the change, the execute lock was removed from the first instance and the attackers gained full control over the instant root directory.
The last step was to create a symlink /tmp/snap.rootfs_x/tmp which was used by the sc_bootstrap_mount_namespace() function to bind and mount the actual writable directory /tmp to any directory on the filesystem, since the mount() call follows symlinks before mounting. Such mounting is blocked by AppArmor restrictions, but to bypass this block, the exploit used two vulnerabilities. helpers in multipathd.
Successful exploitation of all three vulnerabilities allows any non-privileged user to gain root privileges on the vulnerable device. Qualys security researchers verified the vulnerability, developed an exploit, and gained full root privileges on default Ubuntu installations.
As soon as the vulnerability was confirmed by the Qualys Threat Research Unit, we engaged in responsible vulnerability disclosure and coordinated with vendors and open source distributions to announce this newly discovered vulnerability.
The researchers were able to prepare a working exploit which provides root access on Ubuntu Server 22.04, which, in addition to the snap-confine vulnerability, also involves two vulnerabilities in the multipathd process (CVE-2022-41974, CVE-2022-41973) related to bypassing permissions when passing privileged commands and insecure handling of symbolic links.
It is worth mentioning that the issue was fixed in the release of snapd 2.57.6, In addition, package updates have been released for all supported branches of Ubuntu.
Finally, if you are interested in knowing more about it, you can consult the details In the following link.