Name | snapd_uid_overwrite |
CVE | CVE-2019-7304 |
Exploit Pack | CANVAS |
Description | snapd_uid_overwrite |
Notes | CVE Name: CVE-2019-7304 VENDOR: snapd team NOTES: The snapd service runs as an REST API using a Unix Domain Socket, is possible to send request when the uid is 0 (root), the vulnerability in snapd allows us to overwrite this uid with an Unix Domain Socket binding a file with name like "randomstring;uid=0". The exploit takes advantage of this to call /v2/snaps API with a POST request and can run an bash script with root privs. This exploit version has been tested in Ubuntu Desktop 18.10 with snapd 2.37.0 VersionsAffected: Affects all snapd versions from 2.28 up to and including 2.37.0 Repeatability: Infinite References: - https://bugs.launchpad.net/snapd/+bug/1813365 - https://github.com/snapcore/snapd/wiki/REST-API CVE Url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7304 Date public: 13/02/2019 CVSS: N/A |
Learn more about the CANVAS Exploit Pack here: CANVAS |