Qualys ya gano lahani guda biyu (CVE-2021-44731, CVE-2021-44730) a cikin kayan aiki mai kama-karya, wanda aka ba shi tare da Tushen Tushen SUID kuma an kira ta hanyar snapd don ƙirƙirar yanayin aiwatarwa don aikace-aikacen da aka kawo a cikin fakitin da ke ƙunshe da kai. a cikin tsarin karye. Rashin lahani yana ba wa mai amfani mara gata na gida damar aiwatar da lamba tare da tushen gata akan tsarin. An warware batutuwan a cikin sabuntawar fakitin snapd na yau don Ubuntu 21.10, 20.04 da 18.04.
Rashin lahani na farko (CVE-2021-44730) yana ba da damar kai hari ta hanyar sarrafa hanyar haɗin gwiwa, amma yana buƙatar kashe tsarin kariyar hanyar haɗin kai (saitin sysctl fs.protected_hardlinks zuwa 0). Matsalar tana faruwa ne ta hanyar tabbatar da kuskuren wurin da fayilolin da za a iya aiwatarwa na shirye-shiryen snap-update-ns da snap-discard-ns helper shirye-shirye suna gudana azaman tushen. Hanyar zuwa waɗannan fayilolin an ƙididdige su a cikin aikin sc_open_snapd_tool() dangane da nasa hanyar daga /proc/self/exe, wanda ke ba ku damar ƙirƙirar hanyar haɗi mai wuya don ɗaukar hoto a cikin kundin ku kuma sanya nau'ikan ku na snap- update-ns da snap utilities a cikin wannan directory discard-ns. Bayan gudana ta hanyar hanyar haɗin yanar gizo mai wuya, snap-confine tare da haƙƙin tushen za su ƙaddamar da fayilolin snap-update-ns da snap-discard-ns daga kundin adireshi na yanzu, wanda maharin ya maye gurbinsa.
Rashin lahani na biyu yana haifar da yanayin tsere kuma ana iya yin amfani da shi a cikin tsohowar Desktop Ubuntu. Don cin nasara don yin aiki cikin nasara a cikin Ubuntu Server, dole ne ku zaɓi ɗaya daga cikin fakitin daga sashin “Featured Server Snaps” lokacin shigarwa. Yanayin tseren yana bayyana a cikin aikin saitin_private_mount() da ake kira yayin shirye-shiryen sunan sunan dutsen don fakitin karye. Wannan aikin yana ƙirƙirar kundin adireshi na wucin gadi "/tmp/snap.$SNAP_NAME/tmp" ko yana amfani da wanda yake wanzu don ɗaure kundayen adireshi don fakitin karyewa a ciki.
Tun da sunan kundin adireshin wucin gadi yana da tsinkaya, mai hari zai iya maye gurbin abubuwan da ke ciki tare da hanyar haɗi na alama bayan ya duba mai shi, amma kafin kiran tsarin dutsen. Misali, zaku iya ƙirƙirar symlink "/tmp/snap.lxd/tmp" a cikin /tmp/snap.lxd directory yana nuni zuwa ga directory na sabani, kuma kira zuwa dutse () zai bi alamar alamar kuma ya hau directory a cikin karye sunaye. Hakazalika, zaku iya hawan abubuwan ku a cikin /var/lib kuma, ta maye gurbin /var/lib/snapd/mount/snap.snap-store.user-fstab, tsara hawan kundin adireshin ku / sauransu a cikin sunan sararin samaniya na fakitin karye don tsara lodin ɗakin karatu daga tare da tushen haƙƙoƙin ta maye gurbin /etc/ld.so.preload.
An lura cewa ƙirƙirar cin zarafi ya zama aikin da ba ƙaramin aiki ba, tun lokacin da aka rubuta abin amfani da snap-confine a cikin Go ta amfani da amintattun dabarun tsara shirye-shirye, yana da kariya dangane da bayanan martaba na AppArmor, yana tace kiran tsarin bisa tsarin na biyu, kuma yana amfani da shi. da dutsen namespace domin kadaici. Duk da haka, masu bincike sun iya shirya wani aiki mai amfani don samun tushen hakkoki akan tsarin. Za a buga lambar amfani a cikin 'yan makonni bayan masu amfani sun shigar da sabuntawar da aka bayar.
source: budenet.ru