Researchers at Microsoft discovered a number of vulnerabilities in the systemd unit known as networkd-dispatcher (CVE-2022-29799, CVE-2022-29800) that they collectively refer to as ‘nimbuspwn’. The two vulnerabilities consist of a directory traversal, and time-of-check-time-of-use (TOCTUO) race condition. The networkd-dispatcher unit is used to propagate network status changes so that various other system components can react accordingly. These communications are performed by the Desktop-Bus, commonly referred to as ‘D-Bus’. D-Bus is a software-bus that allows processes on a host to communicate with each other by sending messages across the bus.
D-Bus components have unique names that they are identified by in the D-Bus channel. This is the basis for how a threat actor would be able to communicate with networkd-dispatcher, exploiting the flow in which networkd-dispatcher takes in messages from the channel and acts on them. There are two different types of bus that D-Bus deploys, a Session Bus and a System Bus. The System Bus is typically more desirable for a threat actor as this is where most root level processes communicate. A desirable D-Bus component name would be “org.freedesktop.network1”. Networkd-dispatcher, which runs as root on the System Bus, listens for messages from this unique network related D-Bus component. Through the two vulnerabilities in the process flow for networkd-dispatcher it becomes possible to have networkd-dispatcher execute a payload as root on behalf of the “org.freedesktop.network1” D-Bus component allowing for any number of malicious actions to be performed.
The vulnerabilities that the Microsoft researchers discovered were quickly patched by the maintainer of networkd-dispatcher Clayton Craft. The disclosure is recent enough that many operating system CVE pages haven’t quite updated with the current status of their upstream patches. Until then, it should be assumed that the patch isn’t available yet.
Binary Defense Researchers worked to replicate the exploit process that Microsoft outlined. In our research of the D-Bus source code we confirmed that most mainstream operating systems come prepackaged with hardened configurations for D-Bus, including:
• Ubuntu 20.04
• Ubuntu 18.04
• Debian 11
• Debian 10
• CentOS 8
• CentOS 7
Hardened configurations for D-Bus restrict the D-Bus component name that can be used for the System Bus, in this case “org.freedesktop.network1”. The configuration file is typically found at /usr/share/dbus-1/system.conf. It is important to ensure that the ‘own’ parameter is set to deny.