Added: Clayton Drennen - Date: 14.08.2021 08:05 - Views: 10620 - Clicks: 4470
Exploit Database. EDB-ID: CVE: EDB Verified:. Author: Chris Moberly. Type: local. Platform: Linux.
Date: Vulnerable App:. This repository contains the original exploit POC, which is being made available for research and education. You can easily check if your system is vulnerable. Run the command below. This queries the Ubuntu SSO for a username and public SSH key of a provided address, and then creates a local user based on these value. Successful exploitation for this version requires an outbound Internet connection and an SSH service accessible via localhost.
After confirming it, edit your profile and an SSH public key. Enjoy your new with sudo rights! This allows the installation of arbitrary snaps. Snaps in "devmode" bypass the sandbox and may include an "install hook" that is run in the context of root at install time. This user will have permissions to execute sudo commands. As opposed to version one, this does not require the SSH service to be running. It will also work on newer versions of Ubuntu with no Internet connection at all, making it resilient to changes and effective in restricted environments.
Snap dirty exploit should also be effective on non-Ubuntu systems that have installed snapd but that do not support the "create-user" API due to incompatible Linux shell syntax. Some older Ubuntu systems like If this is the case, this version of the exploit may trigger it to install those dependencies. During that installation, snapd may upgrade itself to a non-vulnerable version.
Testing shows that the exploit is still successful in this scenario. See the troubleshooting section for more details. To exploit, simply run the script with no arguments on a vulnerable snap dirty. Eventually, these should complete and your should be usable.
Version 1 seems to be the easiest and fastest, if your environment supports it SSH service running and accessible from localhost. Please open issues for anything weird.
Disclosure Info The issue was reported directly to the snapd team via Ubuntu's bug tracker. I was very impressed with Canonical's response to this issue. The team was awesome to work with, and overall the experience makes me feel very good about being an Ubuntu user myself. Simply run as is, no arguments, no requirements. See the github for troubleshooting. The snap itself is empty and has no functionality. It does, however, have a bash-script in the install hook that will create a new user.
For full details, read the blog linked on the github above. Simply run and enjoy. First, we post the headers and wait for an HTTP reply. THEN we can send the payload. Otherwise, The uninstall that follows will fail, leaving unnecessary traces on the machine. Tags: Local. Kali Linux. Penetration Testing. Kali NetHunter. Advanced Attack Simulation. Kali Linux Revealed Book. Application Security Assessment.Snap dirty
email: [email protected] - phone:(820) 117-7619 x 5098
snapd < (Ubuntu) - 'dirty_sock' Local Privilege Escalation (2)