Privilege Escalation in Ubuntu Linux (dirty_sock exploit)
https://shenaniganslabs.io/2019/02/13/Dirty-Sock.html [shenaniganslabs.io]
2019-02-13 20:38
In January 2019, I discovered a privilege escalation vulnerability in default installations of Ubuntu Linux. This was due to a bug in the snapd API, a default service. Any local user could exploit this vulnerability to obtain immediate root access to the system.
This is somewhere between amazing and just dumb.
This is calling one of golang’s standard libraries to gather user information related to the socket connection. Basically, the AF_UNIX socket family has an option to enable receiving of the credentials of the sending process in ancillary data (see man unix from the Linux command line). This is a fairly rock solid way of determining the permissions of the process accessing the API.
Instead, some additional processing happens in this function, where connection info is added to a new object along with the values discovered above: …and then a bit more in this one, where all of these values are concatenated into a single string variable: ..and is finally parsed by this function, where that combined string is broken up again into individual parts:
Yes. Take the input you trust, concatenate with untrusted input, then parse it again.
source: L