Ua ʻike nā mea noiʻi palekana mai Microsoft i ʻelua mau nāwaliwali (CVE-2022-29799, CVE-2022-29800) i loko o ka lawelawe networkd-dispatcher, codenamed Nimbuspwn, e ʻae ai i kahi mea hoʻohana pono ʻole e hoʻokō i nā kauoha kūʻokoʻa me nā pono kumu. Hoʻopaʻa ʻia ka pilikia ma ka hoʻokuʻu ʻana o networkd-dispatcher 2.2. ʻAʻohe ʻike e pili ana i ka hoʻolaha ʻana o nā mea hou e ka hāʻawi ʻana (Debian, RHEL, Fedora, SUSE, Ubuntu, Arch Linux).
Hoʻohana ʻia ʻo Networkd-dispatcher i nā mahele Linux he nui, me ka Ubuntu, ka mea e hoʻohana i ke kaʻina hope systemd-networkd e hoʻonohonoho i nā ʻāpana pūnaewele, a hana i nā hana e like me NetworkManager-dispatcher, ʻo ia. pili i ka hoʻomaka ʻana i nā palapala i ka wā e loli ai ke kūlana o kahi pilina pūnaewele, no ka laʻana, hoʻohana ʻia e hoʻomaka VPN ma hope o ka hoʻokumu ʻana i ka pilina pūnaewele nui.
E holo ana ke kaʻina hana hope me ka networkd-dispatcher ma ke ʻano he kumu a loaʻa nā hōʻailona hanana ma o ka D-Bus. Hoʻouna ʻia ka ʻike e pili ana i nā hanana e pili ana i nā loli i ke kūlana o nā pili pūnaewele e ka lawelawe systemd-networkd. ʻO ka pilikia, hiki i nā mea hoʻohana pono ʻole ke hana i kahi hanana mokuʻāina ʻole a hoʻomaka i kā lākou palapala e hoʻokō ʻia ma ke ʻano he kumu.
Ua hoʻolālā ʻia ʻo Systemd-networkd e holo wale i nā ʻatikala mea hoʻohana pūnaewele aia ma ka papa kuhikuhi /etc/networkd-dispatcher a ʻaʻole hiki ke loaʻa no ka hoʻololi ʻana o ka mea hoʻohana, akā ma muli o kahi nāwaliwali (CVE-2022-29799) i loko o ka code processing ala faila, aia kahi hiki ke loaʻa kahi papa kuhikuhi kumu ma waho o ka palena a me ka hoʻokuʻu ʻana i nā palapala kuhi hewa. ʻO ka mea kūikawā, i ka hana ʻana i ke ala faila i ka palapala, ua hoʻohana ʻia nā waiwai OperationalState a me AdministrativeState i hoʻouna ʻia ma o D-Bus, kahi i hoʻomaʻemaʻe ʻole ʻia ai nā mea kūikawā. Hiki i ka mea hoʻouka ke hana i kona mokuʻāina ponoʻī, nona ka inoa i loaʻa nā huaʻōlelo "../" a hoʻihoʻi hou i ke kelepona pūnaewele-dispatcher i kahi papa kuhikuhi ʻē aʻe.
ʻO ka lua o ka nāwaliwali (CVE-2022-29800) pili i kahi kūlana lāhui - ma waena o ka nānā ʻana i nā ʻāpana script (no ke aʻa) a me ka holo ʻana, aia kahi manawa pōkole, lawa e pani i ka faila a kāpae i ka nānā inā No ka mea hoʻohana kumu. Eia kekahi, ʻaʻole i nānā ka networkd-dispatcher i nā loulou hōʻailona, me ka wā e holo ana i nā palapala ma o ka subprocess.Popen call, ka mea i maʻalahi i ka hoʻonohonoho ʻana o ka hoʻouka ʻana.
ʻenehana hana:
- Hoʻokumu ʻia kahi papa kuhikuhi "/tmp/nimbuspwn" a me kahi loulou hōʻailona "/tmp/nimbuspwn/poc.d" e kuhikuhi ana i ka papa kuhikuhi "/sbin", i hoʻohana ʻia e nānā i nā faila hiki ke hoʻokō ʻia e ke kumu.
- No nā faila hiki ke hoʻokō ʻia mai "/ sbin", ua hana ʻia nā faila me ka inoa like ma ka papa kuhikuhi "/tmp/nimbuspwn", no ka laʻana, no ka faile "/ sbin/vgs" kahi faila hiki ke hoʻokō ʻia "/tmp/nimbuspwn/vgs" hana ʻia, nona ka mea hoʻohana pono ʻole, kahi i hoʻokomo ʻia ai ke code a ka mea hoʻouka e makemake ai e holo.
- Hoʻouna ʻia kahi hōʻailona ma o D-Bus i ke kaʻina hana networkd-dispatcher e hōʻike ana i ka waiwai "../../../tmp/nimbuspwn/poc" ma OperationalState. No ka hoʻouna ʻana i kahi hōʻailona ma ka inoa inoa "org.freedesktop.network1", ua hoʻohana ʻia ka hiki ke hoʻopili i kāna mau mea lawelawe i systemd-networkd, no ka laʻana, ma o nā manipulations me gpgv a i ʻole epmd, a i ʻole hiki iā ʻoe ke hoʻohana i ka pono o ka systemd-networkd. ʻaʻole holo ma ke ʻano maʻamau (no ka laʻana, ma Linux Mint).
- Ma hope o ka loaʻa ʻana o ka hōʻailona, kūkulu ʻo Networkd-dispatcher i kahi papa inoa o nā faila i hoʻokō ʻia e ka mea hoʻohana kumu a loaʻa i ka papa kuhikuhi "/etc/networkd-dispatcher/../../../tmp/nimbuspwn/poc.d", pili maoli i "/sbin".
- I ka manawa i loaʻa ai ka papa inoa o nā faila, akā ʻaʻole i hoʻomaka ʻia ka palapala, ua hoʻohuli ʻia ka loulou hōʻailona mai "/tmp/nimbuspwn/poc.d" i "/tmp/nimbuspwn" a e hoʻomaka ka networkd-dispatcher i ka ʻatikala i mālama ʻia e ka mea hoʻouka me nā kuleana kumu.
Source: opennet.ru