{"id":21780,"date":"2022-04-28T21:54:01","date_gmt":"2022-04-28T21:54:01","guid":{"rendered":"https:\/\/www.esecurityplanet.com\/?p=21780"},"modified":"2022-04-28T21:54:01","modified_gmt":"2022-04-28T21:54:01","slug":"nimbuspwn-root-privilege-escalation-linux","status":"publish","type":"post","link":"https:\/\/www.esecurityplanet.com\/threats\/nimbuspwn-root-privilege-escalation-linux\/","title":{"rendered":"Nimbuspwn: New Root Privilege Escalation Found in Linux"},"content":{"rendered":"

The Microsoft 365 Defender Research Team has revealed<\/a> several new Linux vulnerabilities collectively dubbed “Nimbuspwn.” Like the Dirty Pipe vulnerability<\/a>, they only need a local user with low capabilities to elevate privileges, but this time the exploit seems much more specific and focuses on \u201cnetworkd-dispatcher,\u201d a systemd component that handles connection status changes.<\/p>\n

The Nimbuspwn collection of vulnerabilities is recorded as CVE-2022-29799<\/a> (Directory Traversal) and CVE-2022-29800<\/a> (TOCTOU race conditions). The researchers found that the logic implemented in the networkd-dispatcher component does not sanitize critical elements used to build the script path, which could be exploited to escape the \/etc\/networkd-dispatcher\/ directory.<\/p>\n

In addition, the Microsoft researchers discovered a dangerous delay (hence the TOCTOU, time-of-check-time-of-use) between the scripts being discovered by the component and the time they’re actually run. Hackers could exploit such intervals to replace the scripts with their own.<\/p>\n

The researchers concluded attackers might use these vulnerabilities to send an arbitrary signal. It\u2019s possible only under specific conditions, but they can make networkd-dispatcher execute some scripts blindly and as root. Attackers may use it to perform additional tasks such as distributing malware<\/a> or deploying ransomware<\/a>.<\/p>\n

See the Top 10 Open Source Vulnerability Assessment Tools<\/a><\/p>\n

Nimbuspwn Exploit Steps<\/strong><\/h2>\n

The Microsoft researchers described all the steps in a very explanatory schema (image below) that shows how attackers could chain the exploits to divert networkd-dispatcher and gain root privileges:<\/p>\n

\"Nimbuspwn\"<\/p>\n

Daemons and D-Bus<\/strong><\/h3>\n

To understand how Nimbuspwn works, you need a basic overview of the Linux components involved, like daemons and buses.<\/p>\n

Daemons are utility programs that run in the background to monitor and maintain some subsystems. They execute very specific actions at predefined times or they trigger for some events. Every time you see a process that ends with the letter d, it\u2019s a daemon. You can test it with the ps command or by using built-in utilities such as top<\/em>.<\/p>\n

So \u201cnetworkd\u201d means \u201cnetwork daemon,\u201d and researchers were intrigued by the fact that the networkd-dispatcher daemon runs at boot time with root privileges on the system. If you have the component, you can verify that with the following command in the terminal:<\/p>\n

ps -U root -u root u | grep networkd-dispatcher\r\n<\/pre>\n
D-Bus stands for \u201cDesktop Bus\u201d and allows communications between processes. This mechanism is developed by the freedesktop project and provides the necessary abstraction (or \u201csoftware bus\u201d, a model that facilitates communications between software modules) to guarantee that all processes connected to the bus can communicate with each other efficiently.<\/p>\n
Linux systems (e.g., desktop environments) use D-Bus to instantiate multiple buses, including a single system bus available to all users and processes of the system, that provide access to system services.<\/p>\n
Because system services owned by root\u00a0 are listening and responding to the system bus, it\u2019s an attractive target for hackers.<\/p>\n
Owning the org.freedesktop.network1 bus<\/strong><\/h3>\n
To achieve their exploit, researchers had to own the org.freedesktop.network1 bus name under a privileged service:<\/p>\n
\"Nimbuspwn<\/p>\n
Such a bus name is normally owned by the service systemd-networkd, but hackers can change that if they manage to get a rogue D-Bus.<\/p>\n
These vulnerabilities may seem a bit hard to chain and exploit, and the researchers needed to plant multiple files and make several attempts to win the TOCTOU race condition. However, they delivered a backdoor using Nimbuspwn, which allowed them to skip the exploit when they wanted to use root commands again.<\/p>\n
Any vulnerability that allows root privilege escalation should be taken seriously, regardless of difficulty to exploit.<\/p>\n
See the Top Vulnerability Management Tools<\/a><\/p>\n
How to Protect Against Nimbuspwn<\/strong><\/h2>\n
At the time of writing, there\u2019s no official list of affected environments and distributions but the Microsoft Research Team mentioned Linux Mint, a light distribution based on Ubuntu, a Debian-based operating system and possibly the most popular Linux distro.<\/p>\n
A quick search<\/a> might help you identify all distributions that could have the vulnerable component. Clayton Craft, the maintainer of networkd-dispatcher, has patched the vulnerabilities, so if you have the component enabled, you are strongly encouraged to update.<\/p>\n
However, and it’s good news in this case, the component might not be installed by default in all distributions. You might check it manually but there\u2019s already a free open source detector<\/a> available on GitHub that will check if the process is currently running on your system.<\/p>\n
More generally, Nimbuspwn shows how important it is to monitor all endpoints<\/a>, including Linux devices. There\u2019s a growing number of vulnerabilities and exploits in Linux systems and components, and it won\u2019t stop soon, as Linux is prevalent in many cloud-based architectures and servers.<\/p>\n
To me, the major problem with such flaws is that they’re often underestimated, mainly because they require a local user, so hackers need to be already in a machine to exploit them. It\u2019s not a valid reason to neglect the risk, as lateral movements and privilege escalations are now part of the hacker\u2019s routine.<\/p>\n
You can\u2019t rely on only one layer of security, and companies need to prepare for post-exploitation techniques.<\/p>\n
Read next: Top Endpoint Detection & Response (EDR) Solutions<\/a><\/p>\n\n\n
\n    \n\n    \n\n                
\n            \n                <\/path>\n            <\/svg>\n        <\/div>\n        \n        
\n            
\n                                
\n                    Get the Free Cybersecurity Newsletter                <\/h3>\n                \n                \n                                
\n                    Strengthen your organization's IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday                <\/p>\n                            <\/div>\n\n            
\n                
\n                    \n                        Email Address\n                    <\/label>\n                    \n                <\/div>\n\n                                
\n                    
\n                        \n                        \n                            By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time.                        <\/label>\n                    <\/div>\n                <\/div>\n                \n