Nimbuspwn - A Linux Elevation of Privilege
Blogpost by Microsoft that details a few vulnerabilities in the networkd-dispatcher
component in systemd
which can be chained for LPE. When looking at the code flow, they noticed it would register a signal receiver on the system bus, and the handler would receive a state
path followed by some data. If this state path was an existing object, and the data was different from the previously stored data, run_hooks_for_state()
would be invoked. This routine will call all root-owned scripts in that state’s directory, which gets built up as /etc/networkd-daemon/<state>/d
.
Multiple issues exist here. First of all, this path construction is vulnerable to directory traversal, as the state
is not sanitized. Furthermore, symbolic links are followed, both when checking the script files to load them into the list, as well as when executing them with subprocess
. This allows a Time-of-Check Time-of-Use (TOCTOU) bug to open up, as an attacker can traverse out of the protected directory and setup symbolic links. First, they set the link to a valid root-owned script to get the symbolic link loaded into the scripts list, then they change it to a script they control when subprocess goes to execute it.