Masu binciken tsaro daga Microsoft sun gano lahani guda biyu (CVE-2022-29799, CVE-2022-29800) a cikin sabis na aikawa da sakonni, mai suna Nimbuspwn, wanda ke ba da damar mai amfani mara gata don aiwatar da umarni na sabani tare da tushen gata. An daidaita batun a cikin sakin networkd-dispatcher 2.2. Babu wani bayani game da buga sabuntawa ta hanyar rarrabawa tukuna (Debian, RHEL, Fedora, SUSE, Ubuntu, Arch Linux).
Ana amfani da Networkd-dispatcher a yawancin rarrabawar Linux, ciki har da Ubuntu, waɗanda ke amfani da tsarin tsarin tsarin tsarin-networkd don daidaita sigogin cibiyar sadarwa, kuma yana yin ayyuka kama da NetworkManager-dispatcher, i.e. yana hulɗa da ƙaddamar da rubutun lokacin da yanayin haɗin yanar gizon ya canza, misali, ana amfani da shi don ƙaddamar da VPN bayan kafa babban haɗin yanar gizon.
Tsarin baya da ke da alaƙa da networkd-dispatcher yana gudana azaman tushe kuma yana karɓar siginar taron ta D-Bus. Bayani game da abubuwan da suka shafi canje-canje a yanayin haɗin yanar gizo ana aika ta sabis na hanyar sadarwa na systemd. Matsalar ita ce masu amfani marasa gata na iya haifar da wani taron jihar da ba shi da shi kuma su jawo rubutun su don aiwatar da su azaman tushe.
An ƙirƙira Systemd-networkd don gudanar da rubutun mai sarrafa tsarin kawai wanda ke cikin /etc/networkd-dispatcher directory kuma ba a sami dama ga maye gurbin mai amfani ba, amma saboda rauni (CVE-2022-29799) a cikin lambar sarrafa hanyar fayil, akwai yuwuwar littafin tushe na waje da ƙaddamar da rubutun sabani. Musamman, lokacin ƙirƙirar hanyar fayil zuwa rubutun, an yi amfani da ƙimar OperationalState da AdministrativeState da aka watsa ta hanyar D-Bus, waɗanda ba a share haruffa na musamman ba. Maharin zai iya haifar da nasa jihar, sunan wanda ya ƙunshi haruffa "../" kuma ya tura kiran networkd-dispatcher zuwa wani kundin adireshi.
Rashin lahani na biyu (CVE-2022-29800) yana da alaƙa da yanayin tsere - tsakanin duba sigogin rubutun (na tushen) da gudanar da shi, akwai ɗan gajeren lokaci, wanda ya isa ya maye gurbin fayil ɗin da ketare rajistan ko Rubutun na tushen mai amfani ne. Bugu da ƙari, networkd-dispatcher bai bincika hanyoyin haɗin yanar gizo ba, gami da lokacin gudanar da rubutun ta hanyar tsarin aiki. Kiran da aka yi, wanda ya sauƙaƙa tsarin harin.
Dabarar aiki:
- An ƙirƙiri kundin adireshi "/ tmp/nimbuspwn" da hanyar haɗin yanar gizo ta alama "/tmp/nimbuspwn/poc.d" tana nuna directory "/ sbin", wanda ake amfani da shi don bincika fayilolin aiwatarwa mallakar tushen.
- Don fayilolin aiwatarwa daga “/ sbin”, ana ƙirƙira fayiloli da suna iri ɗaya a cikin “/ tmp/nimbuspwn” directory, alal misali, don fayil ɗin “/ sbin/vgs” fayil ɗin aiwatarwa “/ tmp/nimbuspwn/vgs” shine ƙirƙira, mallakar wani mara amfani, wanda aka sanya lambar da maharin ke son gudanarwa a ciki.
- Ana aika sigina ta hanyar D-Bus zuwa tsarin networkd-dispatcher yana nuna ƙimar "../../../tmp/nimbuspwn/poc" a cikin OperationalState. Don aika sigina a cikin sunan sararin samaniya “org.freedesktop.network1”, an yi amfani da ikon haɗa masu sarrafa shi zuwa tsarin hanyar sadarwa, alal misali, ta hanyar magudi tare da gpgv ko epmd, ko kuma kuna iya cin gajiyar gaskiyar cewa systemd-networkd. ba ya gudana ta tsohuwa (misali, akan Linux Mint).
- Bayan karɓar siginar, Networkd-dispatcher yana gina jerin fayilolin aiwatarwa mallakar tushen mai amfani kuma ana samun su a cikin directory "/etc/networkd-dispatcher/../../../tmp/nimbuspwn/poc.d", wanda a zahiri yana da alaƙa da "/sbin".
- A lokacin da aka karɓi jerin fayilolin, amma har yanzu ba a ƙaddamar da rubutun ba, ana juyar da hanyar haɗin alamar daga “/tmp/nimbuspwn/poc.d” zuwa “/tmp/nimbuspwn” kuma networkd-dispatcher zai ƙaddamar da Rubutun wanda maharin ya shirya tare da haƙƙin tushen.
source: budenet.ru