The Microsoft security researchers released the news that have identified two vulnerabilities (CVE-2022-29799, CVE-2022-29800) in the networkd-dispatcher service codenamed Nimbuspwn that allow an unprivileged user to execute arbitrary commands as root.
networkd-dispatcher en used by many Linux distributions, including Ubuntu, which uses the systemd-networkd background process to configure network settings and performs functions similar to NetworkManager-dispatcher, i.e. it handles script execution when the network connection state changes, for example , it is used to start a VPN after establishing the main network connection.
Microsoft has discovered several vulnerabilities, collectively named Nimbuspwn, that could allow an attacker to elevate privileges to root on many Linux desktop endpoints. The vulnerabilities can be chained to gain root privileges on Linux systems, allowing attackers to deploy payloads such as a root backdoor and perform other malicious actions through arbitrary root code execution. Additionally, Nimbuspwn vulnerabilities could potentially be exploited as a vector for root access by more sophisticated threats, such as malware or ransomware, to further impact vulnerable devices.
We discovered the vulnerabilities by listening for messages on the System Bus while performing code reviews and dynamic analysis on services running as root, and noticed a strange pattern in a systemd unit called networkd-dispatcher.
The background process associated with networkd-dispatcher runs as root and listens for events through the D-Bus. The systemd-networkd service sends information about events related to the change of state of network connections. The problem is that non-privileged users can raise a nonexistent status event and start executing your script, which will run as root.
systemd-networkd is designed to run scripts only system controller located in the /etc/networkd-dispatcher directory and not user replaceable, but due to a vulnerability (CVE-2022-29799) it was possible that the file path handling code was turned off from the base directory of limits and execute arbitrary scripts.
In particular, when forming the file path to the script, the OperationalState and AdministrationState values transmitted over D-Bus were used, in which the special characters were not deleted. An attacker could generate their own state with the characters "../" in the name and redirect the networkd-dispatcher call to another directory.
The second vulnerability (CVE-2022-29800) is related to a race condition: Between checking the script parameters (owned by root) and executing it, there was a short period of time, enough to replace the file and skip checking the script owned by root. Also, networkd-dispatcher did not check symbolic links, even when executing scripts via the subprocess.Popen call, which greatly simplified attack orchestration.
The directory "/tmp/nimbuspwn" is created and a symlink "/tmp/nimbuspwn/poc.d" pointing to the directory "/sbin" is created which is used to pass a check for executable files owned by root.
For “/sbin” executable files, files with the same name are created in the “/tmp/nimbuspwn” directory, for example, for “/sbin/vgs” file, an executable file “/tmp/nimbuspwn/ vgs" is created, owned by a user without privileges, in which the code that the attacker wants to execute is put.
A D-Bus signal is sent to the networkd-dispatcher process with OperationalState set to "../../../tmp/nimbuspwn/poc". To send a signal in the "org.freedesktop.network1" namespace, you used the ability to connect your controllers to systemd-networkd, for example, by gpgv or epmd manipulations, or you can use the fact that systemd-networkd it is not running by default (for example, on Linux mint).
Upon receiving the signal, Networkd-dispatcher creates a list of executable files owned by the root user and available in the "/etc/networkd-dispatcher/../../../tmp/nimbuspwn/poc.d" directory, which it actually refers to "/sbin".
As soon as the list of files is received, but the script has not yet been executed, the symbolic link is redirected from "/tmp/nimbuspwn/poc.d" to "/tmp/nimbuspwn" and networkd-dispatcher will be executed as root. script placed by the attacker.
The problem fixed in networkd-dispatcher 2.2 release, although there is no information about release of updates by distributions.
Finally if you are interested in knowing more about it, you can check the details In the following link.