Vulnerabilities recently discovered by Microsoft make it easy for users with access to many Linux desktop systems to quickly gain root system privileges – the latest privilege elevation flaw to come to light in the open-source operating system.
As operating systems have been hardened to withstand attacks in recent years, EoP (Elevation of Privilege) vulnerabilities have become a crucial ingredient in most successful hacks. They can be exploited in conjunction with other vulnerabilities, often considered less severe on their own, with the latter granting so-called local access and the former escalating root access. From there, attackers with physical access or limited system privileges can deploy backdoors or execute code of their choice.
Nimbuspwn, as Microsoft called the EoP threat, are two vulnerabilities in networkd-dispatcher, a component in many Linux distributions that broadcasts network status changes and can run various scripts to respond to a new status. When a machine boots, networkd-dispatcher runs as root.
The bugs tracked as CVE-2022-29799 and CVE-2022-29800 combine threats including directory traversal, Symlink Raceand Time of Check Time of Use (TOCTOU) Race Condition. After reviewing the Networkd dispatcher source codeMicrosoft researcher Jonathan Bar Or noted that a component called “_run_hooks_for_state” implements the following logic:
- Gets the list of available scripts by calling the get_script_list method, which calls a separate scripts_in_path method, which should return all files stored in the /etc/networkd-dispatcher/.d directory.
- Sorts the script list
- Runs any script with the subprocess.Popen process and provides custom environment variables
Run_hooks_for_state leaves Linux systems open to the directory traversal vulnerability referred to as CVE-2022-29799 as none of the functions used adequately sanitize the states used to create the correct script path from malicious input. Hackers can exploit the vulnerability to break out of the /etc/networkd-dispatcher home directory.
Run-hooks_for_state contains a separate bug, CVE-2022-29800, that makes systems vulnerable to the TOCTOU run condition due to the amount of time that elapses between the scripts being detected and their execution.
Attackers can exploit this latter vulnerability to replace scripts that networkd-dispatcher believes belong to root with malicious scripts of the attackers choice. To ensure that Linux runs the malicious script provided by the hacker instead of the legitimate one, the hacker plants multiple scripts until one eventually succeeds.
A hacker with minimal access to a vulnerable desktop can chain exploits for these vulnerabilities that grant full root access. The exploit flow looks like this:
- Prepare a directory ”/tmp/nimbuspwn” and set a symlink ”/tmp/nimbuspwn/poc.d” to point to “/sbin“. That “/sbin” Directory was specifically chosen because it contains many executables that are owned by root and will not block if run without additional arguments. This will abuse them Symlink Race problem we mentioned earlier.
- For each executable filename below “/sbin” owned by root, plant the same filename under “/tmp/nimbuspwn“. If for example “/sbin/vgs” is executable and owned by root, create an executable file “/tmp/nimbuspwn/vgs‘ with the desired payload. This will help the attacker win the race condition imposed TOCTOU Vulnerability.
- Send a signal with the operating condition “../../../tmp/nimbuspwn/poc”. This abuses the directory traversal vulnerability and escapes the script directory.
- The networkd-dispatcher signal handler jumps in and builds the script list from the directory “/etc/networkd-dispatcher/../../../tmp/nimbuspwn/poc.d”this is really the symbolic link (“/tmp/nimbuspwn/poc.d”), which suggests “/sbin”. Therefore, it creates a list consisting of many executables owned by root.
- Quickly change the symlink”/tmp/nimbuspwn/poc.d” to point to “/tmp/nimbuspwn“. This abuses the TOCTOU race condition Vulnerability – script path changes without networkd-dispatcher consciousness.
- Dispatcher starts executing files that originally came under “/sbin‘ but in truth under the ‘/tmp/nimbuspwn” directory. Since the dispatcher “believes” that these files belong to root, it blindly executes them with subprocess.Popen as root. Therefore, our attacker successfully exploited the vulnerability.
Here is a visualization:
To gain persistent root access, the researcher used the exploit flow to create a backdoor. The process for this is:
- copies /bin/sh to /tmp/sch.
- Spins again /tmp/sch it in one Set UID (SUID) binary
- Runs /tmp/sh -p. That “– p” flag is necessary because modern shells intentionally drop privileges.
The proof-of-concept exploit only works if it can use the bus name “org.freedesktop.network1”. The researcher found several environments where this happens, including Linux Mint, where systemd-networkd does not have the bus name org.freedodesktop.network1 by default on boot.
The researcher also found several processes running as the systemd-network user, which is allowed to use the bus name required to run arbitrary code from world-writable locations. Vulnerable processes include several gpgv plugins that are launched when apt-get is installed or updated, and the Erlang Port Mapper Daemon, which allows arbitrary code execution in some scenarios.
The vulnerability was patched in networkd-dispatcher, although it was not immediately clear when and in what version, and attempts to reach the developer were not immediately successful. People using vulnerable versions of Linux should patch their systems as soon as possible.
This article was previously published on Source link