Vulnerabilities recently discovered by Microsoft make it easy for people with a toehold on many Linux desktop systems to quickly gain root system rights— the latest elevation of privileges flaw to come to light in the open source OS.
As operating systems have been hardened to withstand compromises in recent years, elevation of privilege (EoP) vulnerabilities have become a crucial ingredient for most successful hacks. They can be exploited in concert with other vulnerabilities that on their own are often considered less severe, with the latter giving what’s called local access and the former escalating the root access. From there, adversaries with physical access or limited system rights can deploy backdoors or execute code of their choice.
Nimbuspwn, as Microsoft has named the EoP threat, is two vulnerabilities that reside in the networkd-dispatcher, a component in many Linux distributions that dispatch network status changes and can run various scripts to respond to a new status. When a machine boots, networkd-dispatcher runs as root.
The flaws, tracked as CVE-2022-29799 and CVE-2022-29800, combine threats including directory traversal, symlink race, and time-of-check time-of-use (TOCTOU) race condition. After reviewing the Networkd -dispatcher source code, Microsoft researcher Jonathan Bar Or noticed that a component known as “_run_hooks_for_state” implements the following logic:
- Discovers the list of available scripts list by invoking the “get_script_list” method, which calls a separate “scripts_in_path” method that’s intended to return all the files stored in the “/etc/networkd-dispatcher/.d” directory.
- Sorts the script list
- Runs each script with the process subprocess.Popen and supplies custom environment variables
Run_hooks_for_state leaves Linux systems open to the directory-traversal vulnerability, designated as CVE-2022-29799, because none of the functions it uses adequately sanitize the states used to build the proper script path from malicious input. Hackers can exploit the weakness to break out of the “/etc/networkd-dispatcher” base directory.
Run-hooks_for_state contains a separate flaw, CVE-2022-29800, which leaves systems vulnerable to the TOCTOU race condition since there’s a certain time between the scripts being discovered and them being run.
Adversaries can exploit this latter vulnerability to replace scripts that networkd-dispatcher believes to be owned by root with malicious ones of the adversaries’ choice. To ensure Linux executes the hacker-supplied malicious script rather than the legitimate one, the hacker plants multiple scripts until one finally succeeds.
A hacker with minimal access to a vulnerable desktop can chain together exploits for these vulnerabilities that give full root access. The exploit flow looks like this:
- Prepare a directory ”/tmp/nimbuspwn” and plant a symlink ”/tmp/nimbuspwn/poc.d“ to point to “/sbin”. The “/sbin” directory was chosen specifically because it has many executables owned by root that do not block if run without additional arguments. This will abuse the symlink race issue we mentioned earlier.
- For every executable filename under “/sbin” owned by root, plant the same filename under “/tmp/nimbuspwn”. For example, if “/sbin/vgs” is executable and owned by root, plant an executable file “/tmp/nimbuspwn/vgs” with the desired payload. This will help the attacker win the race condition imposed by the TOCTOU vulnerability.
- Send a signal with the OperationalState “../../../tmp/nimbuspwn/poc”. This abuses the directory traversal vulnerability and escapes the script directory.
- The networkd-dispatcher signal handler kicks in and builds the script list from the directory “/etc/networkd-dispatcher/../../../tmp/nimbuspwn/poc.d”, which is really the symlink (“/tmp/nimbuspwn/poc.d”), which points to “/sbin”. Therefore, it creates a list composed of many executables owned by root.
- Quickly change the symlink “/tmp/nimbuspwn/poc.d” to point to “/tmp/nimbuspwn”. This abuses the TOCTOU race condition vulnerability—the script path changes without networkd-dispatcher being aware.
- The dispatcher starts running files that were initially under “/sbin” but in truth under the “/tmp/nimbuspwn” directory. Since the dispatcher “believes” those files are owned by root, it executes them blindly with subprocess.Popen as root. Therefore, our attacker has successfully exploited the vulnerability.
Here’s a visualization:
To gain persistent root access, the researcher used the exploit flow to create a backdoor. The process for this is:
- Copies /bin/sh to /tmp/sh.
- Turns the new /tmp/sh it into a Set-UID (SUID) binary
- Runs /tmp/sh -p. The “-p” flag is necessary since modern shells drop privileges by design.
The proof-of-concept exploit works only when it can use the “org.freedesktop.network1” bus name. The researcher found several environments where this happens, including Linux Mint, in which the systemd-networkd by default doesn’t own the org.freedodesktop.network1 bus name at boot.
The researcher also found several processes that run as the systemd-network user, which is permitted to use the bus name required to run arbitrary code from world-writable locations. The vulnerable processes include several gpgv plugins, which are launched when apt-get installs or upgrades, and the Erlang Port Mapper Daemon, which allows running arbitrary code under some scenarios.
The vulnerability has been patched in the networkd-dispatcher, although it wasn’t immediately clear when or in what version, and attempts to reach the developer weren’t immediately successful. People using vulnerable versions of Linux should patch their systems as soon as possible.