Microsoft security researchers have identified a series of weaknesses that, when exploited as a chain, allow local attackers to achieve root access, dubbed as Nimbuspwn. A blog post from the Microsoft 365 Defender team detailing multiple vulnerabilities that have been discovered. Adversary groups can exploit these to easily elevate privileges on Linux systems, allowing the deployment of payloads, ransomware, and other malicious actions targeting networkd-dispatcher and involve directory traversal, symlink race, and TOCTU race situations, among others.

More details can be found in their blog post, and the two CVEs sought, CVE-2022-29799 & CVE-2022-29800, will provide additional information. These CVE IDs were reserved at the time of release.

Furthermore, more sophisticated attacks, such as malware or ransomware, might leverage the Nimbuspwn vulnerabilities to gain root access and have a greater impact across compromised systems.

About the vulnerability

According to the findings CVE-2022-29800 is a time-of-check-time-of-use (TOCTOU) race condition that could allow an attacker to replace scripts that networkd-dispatcher (the vulnerable systemd unit) believes are owned by root with scripts that are not. Add in a symlink race condition uncovered by the researchers at the same time, and provides a clear path to privilege elevation. While CVE-2022-29799 is a directory traversal bug.

Microsoft's security researchers have disclosed these vulnerabilities to the appropriate maintainers via the Coordinated Vulnerability Disclosure (CVD) program, which is run by Microsoft Security Vulnerability Research (MSVR). Users of networkd-dispatcher are recommended to update their instances because the maintainer of the networkd-dispatcher has successfully rolled out the patches for these vulnerabilities.

As organizations continue to rely on a wide range of devices and systems, robust solutions that provide cross-platform protection and a holistic overview of their security posture are required to mitigate threats like Nimbuspwn. The ever-increasing number of Linux vulnerabilities reinforces the need of controlling the operating system and its subsystems.

Vulnerability Detection

It all began with enumerating root-run services and intercepting System Bus signals, doing both code reviews and dynamic analysis. As a result, the researchers have documented two instances of information leakage:

While these are intriguing, their severity is minimal - an attacker can list files beneath folders that need elevated rights to list files. Then we noticed some fascinating trends in a systemd module called networkd-dispatcher. The objective of networkd-dispatcher is to dispatch network status updates and possibly conduct alternative scripts based on the new state. Surprisingly, it boots as root:

Networkd-dispatcher Code Flow

The security researchers observed an intriguing code flow throughout the analysis of the networkd-dispatcher source code:

• The register function adds a new signal receiver to the System Bus for the service "org.freedesktop.network1" and the signal "PropertiesChanged."

• The "_receive signal" signal handler does some basic checks on the object type being received, concludes the modified network interface based on the object path being delivered, and then concludes its new states–"OperationalState" and "AdministrativeState"–fetched from the data. If any of the states is not empty, the "handle state" function will be called.

• For each of those two states, the "handle state" method simply calls "_handle one state."

• "_handle one state" ensures that the state is not empty and that it differs from the preceding state. If it is, it will update the new state and call the "_run hooks for state" function, which will identify and run the scripts for the new state.

• The following logic is implemented by _run hooks for state":

Gets the script list by calling the "get script list" method (which gets the new state as a string). If you want to find all the files under "/etc/networkd-dispatcher/state>.d" that are owned by the root user and the root group, and that can be run, this method just calls "scripts in path."

Sorts the script list.

Runs each script with subprocess.Popen while supplying custom environment variables.

Multiple security issues disclosed in fifth step:

Directory traversal (CVE-2022-29799): The OperationalState and the AdministrativeState are not sanitized by any of the processes in the flow. Due to the fact that the states are utilized to construct the script path, it is possible for a state to include directory traversal patterns (e.g. "../../") that allow the user to exit the "/etc/networkd-dispatcher" base directory. Symlink race Both the detection of scripts and the subprocess.popen is a symbologist. Time-of-check-time-of-use (TOCTOU) race condition (CVE-2022-29800 ): There is a temporal delay between the discovery of scripts and their execution. An attacker may exploit this issue to change the ownership of scripts that networkd-dispatcher thinks are owned by root to non-root scripts.

Exploitation

Assume an opponent has a hostile D-Bus component capable of sending any signal. As a result, an attacker may commit the following:

• Create a directory called "/tmp/nimbuspwn" and refer it to "/sbin" through a symlink called "/tmp/nimbuspwn/poc.d". The "/sbin" directory was selected precisely because it contains a large number of root-owned executables that do not need extra arguments to operate. This exploits the previously described symlink race condition.
• Plant a file named "/tmp/nimbuspwn" for each executable filename under "/sbin" that is controlled by root. For instance, if "/sbin/vgs" is executable and owned by root, plant the appropriate payload in the executable file "/tmp/nimbuspwn/vgs". This enables the attacker to defeat the TOCTOU vulnerability's race condition.
• Send a signal with the OperationalState "../../../tmp/nimbuspwn/poc". This exploits the directory traversal vulnerability and allows access to the script directory to be bypassed.
• The networkd-dispatcher signal handler kicks in and creates the script list from the directory "/etc/networkd-dispatcher/../../../../tmp/nimbuspwn/poc.d", which is really a symlink to "/sbin". As a result, a list of several executables owned by root is generated.
• Change the path to "/tmp/nimbuspwn/poc.d" to "/tmp/nimbuspwn". This exploits the TOCTOU race situation vulnerability–the script path changes invisibly to networkd-dispatcher.
• The dispatcher executes files that were originally located in the "/sbin" directory but were really located in the "/tmp/nimbuspwn" directory. Because the dispatcher "believes" the files are owned by root, it uses subprocess to execute them blindly. As root, popen As a result, our adversary exploited the vulnerability effectively.

Notably, we plant a large number of possible running files in order to win the TOCTOU race condition with a high probability. Three tries are sufficient to win the TOCTOU race condition, as shown by our studies.

Due to the fact that it was not intended to execute the exploit every time, in order to run as root, the payload that was ultimately implemented leaves a root backdoor:

1.Copies /bin/sh to /tmp/sh. 2.Turns the new /tmp/sh it into a Set-UID (SUID) binary. 3.Run /tmp/sh -p. The “-p” flag is necessary since modern shells drop privileges by design.

Thus exploiting this kind of vulnerability needs local shell access, it is critical for people who presently use networkd-dispatcher in their Linux workload settings. Under the instruction of Microsoft, the developer has produced a patch to address the problem, which should be applied by people with computers affected by this vulnerability.