Dirty Sock vulnerability lets attackers gain root access on Linux systems

After Dirty COW caused headaches in 2016, now Linux sysadmins have to worry about Dirty Sock.

Windows is porting popular Sysinternals tools package to Linux Microsoft engineers have already ported the ProcDump utility and are currently working on porting ProcMon as well. More tools to follow.

A security researcher published today proof-of-concept (PoC) code for a vulnerability primarily impacting Ubuntu, but also other Linux distros.

Canonical, the company behind the Ubuntu operating system, has released a patch (USN-3887-1) for this issue yesterday, in advance of today's full disclosure.

The vulnerability was discovered at the end of January by Chris Moberly, a security researcher for The Missing Link in Australia, who worked closely with the Canonical team to have it fixed.

The vulnerability, which Moberly refers to as Dirty Sock, doesn't allow hackers to break into vulnerable machines remotely, but once attackers have a foothold on any unpatched system they can turn a simple intrusion into a bad hack where they have control over the entire OS.

In technical jargon, Dirty Sock is a local privilege escalation flaw that lets hackers create root-level accounts.

The actual vulnerability isn't in the Ubuntu operating system itself, but in the Snapd daemon that's included by default with all recent Ubuntu versions, but also with some other Linux distros.


Must read


Snapd is the daemon that manages "snaps," a new app packaging format developed and used by Canonical for Ubuntu apps since 2014. Snapd lets users download and install apps in the .snap file format.

Moberly says that Snapd exposes a local REST API server that snap packages (and the official Ubuntu Snap Store) interact with during the installation of new apps (snaps).

The researcher says he identified a way to skirt the access control restrictions imposed on this API server and gain access to all API functions, including the ones restricted for the root user.

Proof-of-concept code that Moberly published on GitHub today includes two example exploits that can be used to abuse this API and create new root-level accounts.

Dirty Sock demo

Image: Chris Moberly

The malicious code to exploit this vulnerability (also tracked as CVE-2019-7304) can be run directly on an infected host, or can be hidden inside malicious snap packages --some of which have been known to make their way on the Ubuntu Snap Store in the past.

Snapd versions 2.28 through 2.37 are all vulnerable to the Dirty Sock exploit. Moberly reported the issue to Canonical, Snapd's developer, who released Snapd version 2.37.1 this week to address the issue.

At the same time, Canonical also released security updates for the Ubuntu Linux OS, for which the Snapd package was initially developed and where it's included and enabled by default.

Other Linux distros that use Snapd also shipped security updates, such as Debian, Arch Linux, OpenSUSE, Solus, and Fedora.

Moberly's in-depth technical write-up on the Dirty Sock flaw is available here while the PoC is here.

Related stories: