The security researchers of Microsoft have discovered a series of flaws that allows local attackers to gain root access when exploited as a chain, collectively named Nimbuspwn. As a result, the attackers with malicious intents can execute root codes to deploy payloads and perform other actions.
The networkd-dispatcher is flawed
The vulnerabilities reside in systemd / networkd-dispatcher and can be tracked as CVE-2022-29799 and CVE-2022-29800. The networkd-dispatcher is a dispatcher service for systemd-networkd connection status changes in Linux systems. The types of vulnerabilities are directory traversal, symlink race, and TOCTOU (time-of-check-time-of-use) race condition issues; allowing elevating privileges to deploy malware. You can see the flow-chart of the attack below:
Jonathan Bar Or, principal security researcher of Microsoft said:
« The entire exploit elevates privileges assuming our exploit code can own the “org.freedesktop.network1” bus name. While this sounds non-trivial, we have found several environments where this happens. On many environments (e.g. Linux Mint) the service systemd-networkd that normally owns the “org.freedesktop.network1” bus name does not start at boot by default.
While capable of running any arbitrary script as root, our exploit copies /bin/sh to the /tmp directory, sets /tmp/sh as a Set-UID (SUID) executable, and then invokes “/tmp/sh -p”. Note that the “-p” flag is necessary to force the shell to not drop privileges. »
Currently, there is no patch to fix this issue. However, the fixes are expected very soon. The users of networkd-dispatcher should immediately patch their systems when the fix arrives.