Teacher
Professional
- Messages
- 2,670
- Reaction score
- 783
- Points
- 113
Researchers from Aqua Security drew attention to the possibility of an attack on users of the Ubuntu distribution, using the implementation features of the "command-not-found" handler, which gives a hint in case of an attempt to launch a program that is missing from the system. The problem is that when evaluating running commands that are not available in the system, "command-not-found" uses not only packages from regular repositories, but also snap packages from the catalog when selecting recommendations snapcraft.io.
When forming a recommendation based on the catalog content snapcraft.io The "command-not-found" handler does not take into account the package status and covers packages added to the directory by unverified users. Thus, an attacker can place in snapcraft.io a package with hidden malicious content and a name that intersects with existing DEB packages, programs that were initially absent from the repository, or bogus applications whose names reflect typical typos and user errors when typing the names of popular utilities.
For example, you can place the "tracert" and "tcpdamp" packages with the expectation that the user will make a mistake when typing the names of the "traceroute" and "tcpdump" utilities, and "command-not-found" will recommend installing from snapcraft.io malicious packages placed by the attacker. The user may not notice the catch and assume that the system recommends only verified packages. The attacker can also place in snapcraft.io a package whose name overlaps with existing deb packages, in which case "command-not-found" will give two recommendations for installing deb and snap, and the user can choose snap, considering it more secure or tempted by a newer version.
Apps in the snap format that are listed in the snapcraft.io automatic review is allowed and can only be performed in an isolated environment (snap packages without isolation are published only after manual review). It may be sufficient for an attacker to run in an isolated environment with network access, for example, to mine cryptocurrencies, perform DDoS attacks, or send spam.
An attacker can also use methods to bypass isolation in malicious packages, such as exploiting uncorrected vulnerabilities in the kernel and isolation mechanisms, using snap interfaces to access external resources (for hidden audio and video recording) , or capturing keyboard input using the X11 protocol (for creating keyloggers running in a sandbox environment)..
When forming a recommendation based on the catalog content snapcraft.io The "command-not-found" handler does not take into account the package status and covers packages added to the directory by unverified users. Thus, an attacker can place in snapcraft.io a package with hidden malicious content and a name that intersects with existing DEB packages, programs that were initially absent from the repository, or bogus applications whose names reflect typical typos and user errors when typing the names of popular utilities.
For example, you can place the "tracert" and "tcpdamp" packages with the expectation that the user will make a mistake when typing the names of the "traceroute" and "tcpdump" utilities, and "command-not-found" will recommend installing from snapcraft.io malicious packages placed by the attacker. The user may not notice the catch and assume that the system recommends only verified packages. The attacker can also place in snapcraft.io a package whose name overlaps with existing deb packages, in which case "command-not-found" will give two recommendations for installing deb and snap, and the user can choose snap, considering it more secure or tempted by a newer version.
Apps in the snap format that are listed in the snapcraft.io automatic review is allowed and can only be performed in an isolated environment (snap packages without isolation are published only after manual review). It may be sufficient for an attacker to run in an isolated environment with network access, for example, to mine cryptocurrencies, perform DDoS attacks, or send spam.
An attacker can also use methods to bypass isolation in malicious packages, such as exploiting uncorrected vulnerabilities in the kernel and isolation mechanisms, using snap interfaces to access external resources (for hidden audio and video recording) , or capturing keyboard input using the X11 protocol (for creating keyloggers running in a sandbox environment)..
