Microsoft researchers have uncovered a group of vulnerabilities in a Linux service called networkd-dispatcher that can enable an attacker to gain root privileges on vulnerable systems, install malware, or take any other arbitrary action.
Networkd-dispatcher is a Linux add-on that is designed to listen for network connection changes from the systemd-networkd Linux components. By default, it runs as root and researchers with Microsoft’s 365 Defender Security Team recently examined the source code for the module and discovered several vulnerabilities that can be combined to gain root privileges. The maintainers of the project have deployed fixes for the bugs.
The vulnerabilities all exist in one portion of the networkd-dispatcher code, which is meant to look for scripts in a specific location, sort them, and then execute them. The first bug is a directory traversal issue.
“None of the functions in the flow sanitize the OperationalState or the AdministrativeState. Since the states are used to build the script path, it is possible that a state would contain directory traversal patterns (e.g. “../../”) to escape from the ‘/etc/networkd-dispatcher’ base directory,” the MIcrosoft advisory by Jonathan Bar Or says.
The second vulnerability is a symbolic-link race condition, and the third is a time-of-check-time-of-use race condition in the same section of the source code.
“There is a certain time between the scripts being discovered and them being run. An attacker can abuse this vulnerability to replace scripts that networkd-dispatcher believes to be owned by root to ones that are not,” the advisory says.
Successfully exploiting these vulnerabilities to gain root privileges is a multi-step process, and Microsoft’s exploitation process assumes the attacker controls a malicious D-Bus component with which he can send an arbitrary signal. After that, the attacker prepares a directory and plants a symlink in it that points to another directory, in which he plants copies of every executable file owned by the root user. The attacker then exploits the directory traversal flaw and is able to build a list of scripts owned by the root user and then change the symlink to exploit the TOCTOU bug. The end result is the attacker gains root privileges.
Microsoft has named the group of vulnerabilities in networkd-dispatcher Nimbuspwn and the researchers urged organizations to update the package as quickly as possible.
“The vulnerabilities can be chained together to gain root privileges on Linux systems, allowing attackers to deploy payloads, like a root backdoor, and perform other malicious actions via arbitrary root code execution. Moreover, the Nimbuspwn vulnerabilities could potentially be leveraged as a vector for root access by more sophisticated threats, such as malware or ransomware, to achieve greater impact on vulnerable devices,” Bar Or says.