Researchers from Aqua Security noticed on the possibility of carrying out an attack on users of the Ubuntu distribution kit, using the implementation features of the handler “command-not-found“, which gives a hint if you try to run a program that is not in the system. The problem is that when evaluating commands to run that are not in the system, “command-not-found” uses not only packages from standard repositories, but snap packages when choosing a recommendation from the catalog snapcraft.io.
The problem is that the “command-not-found” handler, when generating a recommendation based on the contents of the snapcraft.io directory, does not take into account the status of the package and covers packages added to the directory by unverified users. Thus, an attacker can place in snapcraft.io a package with hidden malicious content and a name that overlaps with existing DEB packages, programs not found in the standard repository, or fictitious applications whose names reflect typical typos and user errors when typing the names of popular utilities.
Advertisement
For example, you can place the “tracert” and “tcpdamp” packages with the expectation that the user will make a mistake when typing the “traceroute” and “tcpdump” utilities. When entering such names, “command-not-found” will recommend installing malicious packages placed by the attacker from snapcraft.io, and the user may not notice the catch and assume that the system recommends only verified packages. An attacker can also place a package in snapcraft.io whose name overlaps with existing deb packages, in which case “command-not-found” will give two recommendations for installing deb and snap, and the user can choose snap, considering it more secure or tempted by the newer version.
Snap apps that snapcraft.io allows for automatic review can only run in an isolated environment (non-isolated snaps are published only after manual review). It may be sufficient for an attacker to execute in an isolated environment with access to the network, for example, to mine cryptocurrency, carry out DDoS attacks, or send spam.
An attacker can also use isolation bypass techniques in malicious packages, such as exploiting unpatched vulnerabilities in the kernel and isolation mechanisms, using snap interfaces to access external resources (for example, to covertly record audio and video), or capturing keyboard input when using X11 protocol (for example, to create keyloggers).
Advertisement
Thanks for reading: