This widely used Ubuntu tool can be hijacked to spread malware

By James On Feb 15, 2024

Hackers can abuse Ubuntu’s ‘command-not-found’ package suggestion system to deliver malware to users, researchers say. The attack surface is relatively large and there are multiple ways threat actors can abuse this feature.

This is evident from a new report from cybersecurity researchers Aqua Nautilus, which notes how when an Ubuntu user wants to run a specific program that is not currently installed on the endpoint, he can open the ‘command-not-found’ utility and leave it suggest packages to install.

The problem here is that there is no way to know if the proposed package is malicious or not. The tool suggests packages from an internal database, as well as a regularly updated database from the Snap Store, for snap packages. So, in theory, a threat actor could force the system to present malicious packages to the user.

Plenty of room for imitation

There are three methods to abuse the tool, the researchers said. The first is to simply publish malicious snaps to the Snap Store and hope the review process isn’t as detailed as for Advanced Package Tool (APT) packages. Snap packages can be published as “strict” or “classic,” with the former being for a sandbox only, and the latter offering unlimited access, similar to an APT package. The second are manually reviewed, freeing up enough space to successfully hide malware, it said.

The second method is similar to the first in that, due to a loophole in the naming system, attackers can register malicious snap packets for legitimate APT packets, forcing the tool to suggest both. After that, it is only a matter of chance that the victim chooses the wrong one.

In the third method, threat actors register unclaimed names that users would expect to exist, usually because of possible similarities to known commands.

“Should a developer want their module to execute a command that differs from the . format and is not just that “Such a request initiates a manual review process in which the requested alias is voted on to ensure it fits the application.”

But if the developers haven’t registered a snap under the alias, an attacker can raid with their own snap.

Aqua Nautilus says that a quarter (26%) of APT package commands can potentially be spoofed, which is a major supply chain risk for both Linux and WIndows Subsystem for Linux users.

Through BleepingComputer