CVE-2024-1724: Snap Sandbox Escape Vulnerability Threatens Linux Systems
In a recent security disclosure, security researcher McPhail has identified a critical vulnerability in Snap, a popular package manager for Ubuntu and other Linux distributions. The vulnerability, tracked as CVE-2024-1724, could allow malicious actors to bypass the Snap sandbox environment and execute arbitrary code on a user’s system.
The Snap package manager, a default feature on Ubuntu, facilitates the installation and management of software from the Snap Store, operated by Canonical. Snap packages operate within a confined environment, restricted by security frameworks like AppArmor and seccomp. However, these packages can request permissions to relax these restrictions, such as accessing the user’s home directory with the home permission.
Image: Ubuntu
Canonical’s policy of automatically approving the home permission, despite some restrictions on accessing dot-files or dot-directories at the home directory’s top level, laid the groundwork for this vulnerability. This policy intends to prevent unauthorized access to sensitive files, such as SSH keys, but McPhail’s findings reveal a critical flaw.
The CVE-2024-1724 vulnerability hinges on the interaction between Snap’s home permission and the user’s $HOME/bin directory. By default, the .profile script executed during shell login adds $HOME/bin to the user’s $PATH if it exists, allowing any executables in that directory to run without specifying their full path.
McPhail demonstrated that a Snap package could exploit this by creating a symbolic link from $HOME/bin to a directory controlled by the Snap. This symbolic link circumvents the AppArmor rule designed to prevent Snaps from writing to $HOME/bin, thereby allowing executables in the linked directory to run outside the Snap’s sandbox.
In a proof-of-concept, McPhail’s malicious Snap, named “evilsnap,” created a symbolic link and placed a script designed to access the user’s .bashrc file, which should be protected. Upon user login, the shell treated the symbolic link as if it were $HOME/bin, enabling the Snap to execute unconfined code and read the .bashrc file.
The impact of this vulnerability is significant, as it could potentially allow attackers to gain full control over a user’s system. This could lead to data theft, unauthorized access, or even the installation of additional malware.
Fortunately, the vulnerability has been patched by the Snap development team. Users are strongly advised to update their Snap package manager to the latest version to mitigate the risk of exploitation.
