Local root vulnerability in snap-confine

Thanks for the link, this report is pure gold and worth reading in full.

Truly, props to snap-confine developers for implementing mitigations to make exploitation so complicated.

As for the other vulnerabilities they found......... *sigh*

> CVE-2021-3995: Unauthorized unmount in util-linux's libmount

> only the first "sz" characters of the
> current user's uid are compared to the filesystem's "user_id" option (sz
> is user_id's length). This second vulnerability allows an unprivileged
> user to unmount the FUSE filesystems that belong to certain other users;
> for example, if our own uid is 1000, then we can unmount the FUSE
> filesystems of the users whose uid is 100, 10, or 1

This is hilarious and sad at the same time. It would be obvious to blame the C language. But I think it's time to start putting blame on developers as well, when instead of using proper primitives like "compare string A and B and tell me if they're equal", they insist on using low-level primitives with pointer arithmetic and buffer manipulation. This is the same mindset that led to the recent "pkexec" vulnerability.

This way of parsing and handling strings should be unacceptable in a culture that values security. Please use (create) a proper C library of high-level string manipulation functions, no shortcuts!

> CVE-2021-3996: Unauthorized unmount in util-linux's libmount

> when parsing /proc/self/mountinfo, the libmount blindly
> removes any " (deleted)" suffix from the mountpoint pathnames

> For example, on Fedora, /tmp is a tmpfs, so we can mount a basic FUSE
> filesystem named "/tmp/ (deleted)" (with FUSE's "hello world" program,
> ./hello) and unmount /tmp itself (a denial of service)

Hilarious. This, again, is a culture problem. We should be migrating to proper serialization formats when communicating complex data structures to between kernel and userland, instead of this stringly typed complex to parse hodgepodge that is "mountinfo".

The "deleted" flag should be a boolean or flags field, not part of the path name string.

> CVE-2021-3997: Uncontrolled recursion in systemd's systemd-tmpfiles

> if we create thousands
> of nested directories in /tmp, then "systemd-tmpfiles --remove" (when
> executed as root at boot time) will call its rm_rf_children() function
> recursively (on each nested directory) and will exhaust its stack and crash

> - for example, on Ubuntu 21.04, systemd-tmpfiles fails to create the
> directory /run/lock/subsys; but because /run/lock is world-writable,
> attackers can create their own /run/lock/subsys; and because various
> legacy packages and daemons write into /run/lock/subsys as root, the
> attackers may create arbitrary files via symlinks in /run/lock/subsys.

Mind=blown. One would expect the crash of a startup service to "fail safe" and possibly disable part of the system. But the auditors managed to turn it into a privilege escalation vulnerability.

Not sure where to put the blame, I could see myself making this mistake just as well.