Categories: Technology

Microsoft finds Linux desktop flaw that gives root to untrusted users

[ad_1]

Getty Images

Vulnerabilities recently discovered by Microsoft make it easy for people with a toehold on many Linux desktop systems to quickly gain root system rights— the latest elevation of privileges flaw to come to light in the open source OS.

As operating systems have been hardened to withstand compromises in recent years, elevation of privilege (EoP) vulnerabilities have become a crucial ingredient for most successful hacks. They can be exploited in concert with other vulnerabilities that on their own are often considered less severe, with the latter giving what’s called local access and the former escalating the root access. From there, adversaries with physical access or limited system rights can deploy backdoors or execute code of their choice.

Nimbuspwn, as Microsoft has named the EoP threat, is two vulnerabilities that reside in the networkd-dispatcher, a component in many Linux distributions that dispatch network status changes and can run various scripts to respond to a new status. When a machine boots, networkd-dispatcher runs as root.

Microsoft

The flaws, tracked as CVE-2022-29799 and CVE-2022-29800, combine threats including directory traversal, symlink race, and time-of-check time-of-use (TOCTOU) race condition. After reviewing the Networkd -dispatcher source code, Microsoft researcher Jonathan Bar Or noticed that a component known as “_run_hooks_for_state” implements the following logic:

  • Discovers the list of available scripts list by invoking the “get_script_list” method, which calls a separate “scripts_in_path” method that’s intended to return all the files stored in the “/etc/networkd-dispatcher/.d” directory.
  • Sorts the script list
  • Runs each script with the process subprocess.Popen and supplies custom environment variables

Microsoft

Run_hooks_for_state leaves Linux systems open to the directory-traversal vulnerability, designated as CVE-2022-29799, because none of the functions it uses adequately sanitize the states used to build the proper script path from malicious input. Hackers can exploit the weakness to break out of the “/etc/networkd-dispatcher” base directory.

Run-hooks_for_state contains a separate flaw, CVE-2022-29800, which leaves systems vulnerable to the TOCTOU race condition since there’s a certain time between the scripts being discovered and them being run.

Adversaries can exploit this latter vulnerability to replace scripts that networkd-dispatcher believes to be owned by root with malicious ones of the adversaries’ choice. To ensure Linux executes the hacker-supplied malicious script rather than the legitimate one, the hacker plants multiple scripts until one finally succeeds.

A hacker with minimal access to a vulnerable desktop can chain together exploits for these vulnerabilities that give full root access. The exploit flow looks like this:

  1. Prepare a directory ”/tmp/nimbuspwn” and plant a symlink ”/tmp/nimbuspwn/poc.d“ to point to “/sbin”. The “/sbin” directory was chosen specifically because it has many executables owned by root that do not block if run without additional arguments. This will abuse the symlink race issue we mentioned earlier.
  2. For every executable filename under “/sbin” owned by root, plant the same filename under “/tmp/nimbuspwn”. For example, if “/sbin/vgs” is executable and owned by root, plant an executable file “/tmp/nimbuspwn/vgs” with the desired payload. This will help the attacker win the race condition imposed by the TOCTOU vulnerability.
  3. Send a signal with the OperationalState “../../../tmp/nimbuspwn/poc”. This abuses the directory traversal vulnerability and escapes the script directory.
  4. The networkd-dispatcher signal handler kicks in and builds the script list from the directory “/etc/networkd-dispatcher/../../../tmp/nimbuspwn/poc.d”, which is really the symlink (“/tmp/nimbuspwn/poc.d”), which points to “/sbin”. Therefore, it creates a list composed of many executables owned by root.
  5. Quickly change the symlink “/tmp/nimbuspwn/poc.d” to point to “/tmp/nimbuspwn”. This abuses the TOCTOU race condition vulnerability—the script path changes without networkd-dispatcher being aware.
  6. The dispatcher starts running files that were initially under “/sbin” but in truth under the “/tmp/nimbuspwn” directory. Since the dispatcher “believes” those files are owned by root, it executes them blindly with subprocess.Popen as root. Therefore, our attacker has successfully exploited the vulnerability.

Here’s a visualization:

Microsoft

To gain persistent root access, the researcher used the exploit flow to create a backdoor. The process for this is:

  1. Copies /bin/sh to /tmp/sh.
  2. Turns the new /tmp/sh it into a Set-UID (SUID) binary
  3. Runs /tmp/sh -p. The “-p” flag is necessary since modern shells drop privileges by design.

Microsoft

The proof-of-concept exploit works only when it can use the “org.freedesktop.network1” bus name. The researcher found several environments where this happens, including Linux Mint, in which the systemd-networkd by default doesn’t own the org.freedodesktop.network1 bus name at boot.

The researcher also found several processes that run as the systemd-network user, which is permitted to use the bus name required to run arbitrary code from world-writable locations. The vulnerable processes include several gpgv plugins, which are launched when apt-get installs or upgrades, and the Erlang Port Mapper Daemon, which allows running arbitrary code under some scenarios.

The vulnerability has been patched in the networkd-dispatcher, although it wasn’t immediately clear when or in what version, and attempts to reach the developer weren’t immediately successful. People using vulnerable versions of Linux should patch their systems as soon as possible.

[ad_2]
Source link
Admin

Recent Posts

Super Slot Games Review

Super slots provide the pinnacle of casino gaming with their interactive bonus rounds, captivating graphics,…

4 months ago

The Evolution and Impact of  Nanomedicine

Introduction to Nanomedicine Nanomedicine, a subfield of nanotechnology, involves the application of nanoscale materials and…

4 months ago

Chumba Online Casino Review

Chumba Casino provides an extraordinary online gaming experience. Its sweepstakes model allows players to win…

5 months ago

How to Find the Best Online Casinos to Play For Free

Online casinos provide quick, simple, and highly convenient gambling experiences for their players. Offering a…

5 months ago

How to Achieve a Flawless Complexion with the Right Products

Achieving a flawless complexion is a common skincare goal. With the right face care products, you can enhance…

5 months ago

Creating Ideal Matches: The Mutual Selection of Clients and Businesses

Shared values and goals, transparency, understanding each other's needs, communication, and respecting boundaries are vital…

5 months ago