Vulnerability in Flatpak, allowing greater privileges in the system

Jun 23, 2017 | 6:17 pm

Published by | Chandan Singh

In Flatpak system provides the means to create self-contained packages that are not tied to a specific Linux distribution and run in a special insulated container, found dangerous vulnerability (CVE-2017-9780), allowing to elevate their privileges on the system.

This issue is addressed in the release Flatpak 0.8.7 and 0.9.6, as well as packages for Debian. Vulnerability still remains unpatched in the repositories of Fedora and Ubuntu.

The vulnerability allows a malicious prepare Flatpak-package containing files with incorrect permissions, such as a setuid flag, or open to all on the record. After installing this package, these files are stored on the local system with the same rights that allow a local attacker to enforce supplied in the package executable file with a flag suid or arrange for a record in an area accessible to all on the record. In the case where Flatpak-package comprises a system processor ( «system helper»), whose components belong root user (used when Flatpak-packet is set for all users in the system) can be arranged to run the application flag setuid root.

It should be noted that the launch of malicious Flatpak-package using Flatpak is not dangerous, as it runs in PR_SET_NO_NEW_PRIVS mode can not be replaced privileges. But the attack may be executed by another local user, who may apply to the installed files Flatpak and run suid-file directly, bypassing Flatpak tools, getting user credentials under which files are installed malicious Flatpak-package (root, if the package has been installed by the administrator to the entire system).