Dirty Sock: CVE-2019-7304

February 13, 2019

Today, Chris Moberly blogged about his local privilege escalation bug in Ubuntu Linux, CVE-2019-7304, a.k.a. the “Dirty Sock” exploit (ew). This affects snapd, which is installed on Ubuntu 16.04.4 LTS and later by default, but snapd is also available for other Linux distributions with a manual install.

Beneath the hype: Snapd’s auto-update should mean you don’t need to do anything about this. Even without this, your everyday script kiddie already needs a shell on the target host before they can run one of the two public scripts to elevate privileges.

But, caveats: If one of your hosts does not usually have internet access, or if snapd is set to not auto-update (but this is unlikely), one might still be at risk. Exploitability of this is pretty easy, because the exploit code is now available — but again, the attacker needs a shell on the host first before they can use this to escalate privileges.

The background: The snapd service allows people to use distro-agnostic bundles of application dependencies, which is super useful for packaging applications. However, the snapd service does not perform sufficient input validation when determining the credentials of users interacting with the service. An attacker can connect to the snapd UNIX socket with a specially-named file as the client end of the socket in order to execute snapd API operations as the root user.

The bottom line: Dirty socks in real life need to be cleaned up before stinking up the whole place, and the Dirty Socks vuln is no different. Luckily, snapd auto-updates in the background, so it’ll no longer be exploitable if someone tries to use this attack. You can safely take your hand off the panic button as long as your host has internet access and snapd is set to auto-update.

The Capsule8 Labs team conducts offensive and defensive research to understand the threat landscape for modern infrastructure and to continuously improve Capsule8’s attack coverage.