Security: snapd snapctl Auth Bypass
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
snapd |
Fix Committed
|
Critical
|
Zygmunt Krynicki |
Bug Description
Hi
I am writing to you from the Security Labs team at Snyk to report some security issues affecting snapd which we identified during a recent research project.
We have identified a vulnerability which can result in authorization bypass in the snapctl tool.
**Description**
When performing the authorization check of the snapctl tool (such as when performing snapctl mount inside a snap), the code will check for the presence of the ‘-h’ or ‘--help’ arguments in the arguments array and, if present, bypass the requirement for the correct authorization (which will be uid 0 in the normal case) [1].
This argument check does not take into account the context of the parameter, and in some cases the parameter may be ignored by the standard argument parsing. The following output shows the difference in parsing when the ‘--’ argument is also passed, usually used to indicate the end of command line options:
$ snapctl mount
error: cannot use "mount" with uid 1000, try with sudo
$ snapctl mount --help
Usage:
snapctl [OPTIONS] mount [mount-OPTIONS] <what> <where>
[snipped for brevity]
$ snapctl mount -- --help
error: error running snapctl: the required argument `<where>` was not provided
As can be seen, by including ‘-- --help’ the authorization check seen in the first line is bypassed, but the help text is not displayed, and the standard parsing of the ‘mount’ tool is performed.
I have included a full proof of concept exploiting this issue to perform a privileged action below, however due to the limitations of the snapctl tool I was not able to exploit this issue in a meaningful way to perform privilege escalation or similar.
**Proof of Concept**
The following proof of concept shows the bypass of the authorization check for the ‘umount’ and ‘mount’ commands, successfully performing the umount and mount actions as an unprivileged user (uid 1000). Note that the only difference between the unsuccessful (i.e. lines which error ‘cannot use … with uid 1000) and successful lines is the addition of ‘-- --help’.
rory@ubuntu2404
snap 2.62+24.04build1
snapd 2.62+24.04build1
series 16
ubuntu 24.04
kernel 6.8.0-31-generic
rory@ubuntu2404
rory@ubuntu2404
/dev/sda2 on /var/snap/
/dev/sda2 on /var/lib/
rory@ubuntu2404
error: cannot use "umount" with uid 1000, try with sudo
rory@ubuntu2404
rory@ubuntu2404
rory@ubuntu2404
error: cannot use "mount" with uid 1000, try with sudo
rory@ubuntu2404
rory@ubuntu2404
/dev/sda2 on /var/lib/
/dev/sda2 on /var/snap/
**Suggested Fix**
If possible, use the same argument parsing library which is used by the tool elsewhere. This will ensure that the context of -h/–help is consistent.
We aim to follow an industry standard 90 day disclosure process, we hope that you are able to align with this and release a fix for this vulnerability where applicable in this time frame.
If you have any further questions, or would like assistance in mitigating or retesting these vulnerabilities, please let me know.
Thanks,
Rory McNamara
CVE References
Changed in snapd: | |
status: | In Progress → Fix Committed |
Hi Rory, thanks for the excellent report. We'll investigate and get back to you.