Researchers from Aqua Security have drawn attention to the possibility of an attack on users of the distribution Ubuntu, taking advantage of the implementation of the "command-not-found" handler, which provides a prompt when attempting to run a program that doesn't exist on the system. The problem is that when evaluating commands to run that aren't present on the system, "command-not-found" uses not only packages from the standard repositories, but also snap packages from the snapcraft.io directory when choosing a recommendation.
When generating a recommendation based on the contents of the snapcraft.io directory, the "command-not-found" handler does not take into account package status and only covers packages added to the directory by untrusted users. Thus, an attacker can place in snapcraft.io a package with hidden malicious content and a name that overlaps with existing DEB packages, programs that were not originally in the repository, or fictitious applications whose names reflect typical typos and user errors when typing the names of popular utilities.
For example, you can place the “tracert” and “tcpdamp” packages with the expectation that the user will make a mistake when typing the names of the “traceroute” and “tcpdump” utilities, and “command-not-found” will recommend installing malicious packages placed by the attacker from snapcraft.io. The user may not notice the catch and think that the system recommends only proven packages. An attacker can also place a package in snapcraft.io whose name overlaps with existing deb packages, in which case “command-not-found” will give two recommendations for installing deb and snap, and the user can choose snap, considering it more secure or tempted by the newer version.
Snap apps that snapcraft.io allows for automatic review can only run in an isolated environment (non-isolated snaps are published only after manual review). It may be sufficient for an attacker to execute in an isolated environment with access to the network, for example, to mine cryptocurrency, carry out DDoS attacks, or send spam.
An attacker can also use isolation bypass techniques in malicious packages, such as exploiting unpatched vulnerabilities in the kernel and isolation mechanisms, using snap interfaces to access external resources (for hidden audio and video recording), or capturing keyboard input when using the X11 protocol (for creating keyloggers working in a sandbox environment).
Source: opennet.ru
