ubuntu-core-launcher uses incorrect glob, doesn't check for exactly one match

Bug #1576699 reported by Zygmunt Krynicki
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ubuntu-core-launcher (Ubuntu)
Fix Released
High
Jamie Strandboge
Xenial
Fix Released
High
Jamie Strandboge
Yakkety
Fix Released
High
Jamie Strandboge

Bug Description

A review of ubuntu-core-launcher code has found that setup_snappy_os_mounts() uses a glob with a potential for security exploit if the attacker can convince an user to install a malicious snap having a name starting with "ubuntu-core".

Due to the glob the launcher may, at random, depending on glob result ordering, choose to mount that snap instead of the real ubuntu-core snap into the filesystem namespace of all newly started application processes.

The bug is possible due to incorrect glob and due to incorrect size check.

CVE References

Revision history for this message
Zygmunt Krynicki (zyga) wrote :
Revision history for this message
Jamie Strandboge (jdstrand) wrote :
Zygmunt Krynicki (zyga)
description: updated
Revision history for this message
Tyler Hicks (tyhicks) wrote :

Great catch! The fix in comment #1 is not correct since we don't need to use glob() any longer.

Michael Vogt (mvo)
Changed in ubuntu-core-launcher (Ubuntu):
importance: Undecided → Critical
status: New → Triaged
Changed in ubuntu-core-launcher (Ubuntu):
importance: Critical → High
Revision history for this message
Michael Vogt (mvo) wrote :

I asked the store team to blacklist any "ubuntu-core.*" names in the store to counter this.

Revision history for this message
Michael Vogt (mvo) wrote :

Nessita told me there is no support to blacklist based on prefix or regexp (which is unfortunate). So we could make all snaps manual approval for now until this issue is solved. Not sure if that big hammer is needed given that you need to convince people first to run "sudo snap install ubuntu-core-evil" to exploit this. But I leave that decision to the experts :)

Revision history for this message
Zygmunt Krynicki (zyga) wrote :

Tyler is right, the glob is no longer required. I just aimed for a minimal path to highlight the problem.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This deserves a CVE and it should be credited to Zygmunt Krynicki. This bug provides a delayed attack opportunity and at a minimum allows data theft since a crafted snap with crafted name (eg, ubuntu-core-evil, or similar) would have its binaries, libraries, etc bind mounted into all other snap application's runtime environment, which can be used to execute code (ie, to ship data off) within the context of other apps when those other apps run. The scope of the attack is limited to the security policy of the installed apps and their launch (meaning that an app with privileges (eg, network-control interface) could be used in a delayed attack to escalate privileges beyond those granted to the malicious snap).

This fix can be made much simpler-- skip all the glob code and just use /snap/ubuntu-core/current. We don't support .<origin> or .sideload any more so the glob is unneeded.

Zygmunt Krynicki (zyga)
description: updated
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

This is CVE-2016-1580

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

FYI, I asked the store team to put all apps under manual review. Once the USN is published, we'll lift that.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-core-launcher - 1.0.27.1

---------------
ubuntu-core-launcher (1.0.27.1) xenial-security; urgency=medium

  * SECURITY UPDATE: delayed attack snap data theft and privilege escalation
    when using Snappy on traditional Ubuntu (classic) systems (LP: #1576699)
    - src/main.c: remove glob code and hardcode /snap/ubuntu-core/current
      instead. The glob code both used an improper glob and performed an
      incorrect check due to a typo which allowed a snap named ubuntu-core-...
      to be bind mounted into application runtimes instead of the ubuntu-core
      OS snap. Ubuntu Core removed .<origin> and .sideload from the SNAP path
      so the glob can simply be dropped.
    - CVE-2016-1580
  * debian/usr.bin.ubuntu-core-launcher:
    - only allow mounting /snap/ubuntu-core/*/... to safeguard against this in
      the future
    - add lib32 and libx32 to match setup_snappy_os_mounts()

 -- Jamie Strandboge <email address hidden> Fri, 29 Apr 2016 10:06:19 -0500

Changed in ubuntu-core-launcher (Ubuntu):
status: Triaged → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

1.0.28 uploaded to yakkety.

Changed in ubuntu-core-launcher (Ubuntu Yakkety):
status: Fix Released → New
Changed in ubuntu-core-launcher (Ubuntu Xenial):
importance: Undecided → High
status: New → Fix Released
Changed in ubuntu-core-launcher (Ubuntu Yakkety):
status: New → In Progress
Changed in ubuntu-core-launcher (Ubuntu Xenial):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in ubuntu-core-launcher (Ubuntu Yakkety):
assignee: nobody → Jamie Strandboge (jdstrand)
information type: Private Security → Public Security
Changed in ubuntu-core-launcher (Ubuntu Yakkety):
status: In Progress → Fix Committed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

FYI, now that the USN is published, I asked the store team to lift manual review.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-core-launcher - 1.0.28

---------------
ubuntu-core-launcher (1.0.28) yakkety; urgency=medium

  * SECURITY UPDATE: delayed attack snap data theft and privilege escalation
    when using Snappy on traditional Ubuntu (classic) systems (LP: #1576699)
    - src/main.c: remove glob code and hardcode /snap/ubuntu-core/current
      instead. The glob code both used an improper glob and performed an
      incorrect check due to a typo which allowed a snap named ubuntu-core-...
      to be bind mounted into application runtimes instead of the ubuntu-core
      OS snap. Ubuntu Core removed .<origin> and .sideload from the SNAP path
      so the glob can simply be dropped.
    - CVE-2016-1580
  * debian/usr.bin.ubuntu-core-launcher:
    - only allow mounting /snap/ubuntu-core/*/... to safeguard against this in
      the future
    - add lib32 and libx32 to match setup_snappy_os_mounts()

 -- Jamie Strandboge <email address hidden> Fri, 29 Apr 2016 11:17:42 -0500

Changed in ubuntu-core-launcher (Ubuntu Yakkety):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.