This commonly-used Ubuntu tool can be hijacked to spread malware

(Image credit: Future)

Hackers can abuse Ubuntu’s “command-not-found” package suggestion system to deliver malware to users, researchers are saying. The attack surface is relatively large, and there are multiple ways threat actors can abuse the feature.

This is according to a new report from cybersecurity researchers Aqua Nautilus, which notes how when a Ubuntu user wants to run a specific program that’s currently not installed on the endpoint they can bring up the "command-not-found" utility and have it suggest packages to install.

The problem here is that there is no way of knowing if the suggested package is malicious or not. The tool suggests packages from an internal database, as well a frequently updated database from the Snap Store, for snap packages. So, in theory, a threat actor could force the system to suggest malicious packages to the user. 

Plenty of room for impersonation

There are three methods to abuse the tool, the researchers further said. The first one is to simply publish malicious snaps to the Snap Store and hope the review process isn’t as detailed as it is for Advanced Package Tool (APT) packages. Snap packages can be published as “strict” or “classic”, with the first one being only for a sandbox, and the second one with unrestricted access, similar to an APT package. The second ones are reviewed manually, opening up plenty of space to successfully hide malware, it was said.

The second method is similar to the first, as due to a loophole in the naming system, the attackers can register malicious snap packages for legitimate APT packages, forcing the tool to suggest both. After that, it’s only a matter of chance for the victim to pick the wrong one. 

The third method involves the threat actors registering unclaimed snap names that users might expect to exist, usually because of potential similarities to known commands. 

"Should a developer wish for their snap to execute a command that deviates from the <snap name>.<application name> format and is not simply <snap name>, they must request an alias," the researchers said. "Such a request initiates a manual review process in which the requested alias is voted on to ensure it aligns with the application."

But if the devs don’t have a snap registered under the alias, an attacker can move in with their own.

Aqua Nautilus says a quarter (26%) of APT package commands could potentially be impersonated, which is a major supply chain risk for both Linux, and WIndows Subsystem for Linux users. 

Via BleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.