Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Snapcraft is a new Ubuntu package management system. This is similar to apt-get.

The initial discovery of the bug was during a CTF while doing a pwnable challenge. While the author was building a CTF challenge with Docker, it segfaulted. Since Docker NEVER segfaults, they explored the issue more. From looking at strace, they noticed that this crashed when loading the local version of LibC!

This bug looked familiar to DLL Hijacking on Windows machines. This technique exploits the search path when looking for libraries. If a library is not found, then it goes to the next location to find it. The idea is that if we control one of those locations on a privileged process, we can get our own code to run within it.

The PID of the crash of Docker was associated with snap. Snap preaches security by containerization. But, most applications include the home plug interface that allows for the home directory to be accessible in the container. This is the reason that the LibC was loaded!

Snap packages require a wrapper to launch the container around the application. So, this is likely the case of a bad LD_LIBRARY environmental variable path. The path has a small bug in it: ::. Although this does not seem like an issue at first, the Id is parsed as the current directory! Damn, that's horrible.

This bug allows for the loading of arbitrary code into the bulk of applications wrapped with snap, including Docker, VLC and many others. This application is sandboxed though; is there anything that we can do? Can we escape the container?

A large amount of Snap applications are GUIs, which utilize the x11 plugin. This exposes the /tmp/.X!11-unix/X0 domain socket to the container, which allows us to send the same command that other windows can. This allows us to send keyboard strokes or mouse inputs to the system. For instance, we can send keyboard strokes to the terminal itself in order to pop a shell :)

A few takeaways for me:

• Be observant of strange or unexpected behaviors. There may be a bug lurking close by.
• Containered does not necessarily mean secure! Even within a containered environment, the author was able to escalate privileges some of the time.
• Any application setting LD_LIBRARY_PATH should be diligent in ensuring it does introduce sideloading of libraries from unintended (i.e. relative) directories.