Vaongorori vekuchengetedzwa kweMicrosoft vakaona matambudziko maviri (CVE-2022-29799, CVE-2022-29800) mubasa re networkd-dispatcher, rinonzi Nimbuspwn, rinobvumira mushandisi asina ropafadzo kuita mirairo isina kurongeka ine root privileges. Dambudziko iri rakagadziriswa mu networkd-dispatcher 2.2. Hapana ruzivo rwekuti kugovera kwakaburitsa zviziviso here.Debian, RHEL, Fedora, SUSE, Ubuntu, Arch Linux).
Networkd-dispatcher inoshandiswa mukuparadzira zvinhu zvakawanda. Linuxkusanganisira Ubuntu, iyo inoshandisa background process systemd-networkd kugadzirisa network parameters, uye inoita mabasa akafanana neNetworkManager-dispatcher, kureva kuti inomhanya mascript kana mamiriro e network connection achichinja, semuenzaniso, inoshandiswa kutanga VPN mushure mekutanga kubatana kwe network.
Iyo yekumashure maitiro akabatana netiweki-dispatcher inomhanya semudzi uye inogamuchira masaini echiitiko kuburikidza neD-Bus. Ruzivo nezve zviitiko zvine chekuita nekuchinja kweiyo network yekubatanidza inotumirwa neiyo systemd-networkd sevhisi. Dambudziko nderekuti vashandisi vasina kurongeka vanogona kugadzira chiitiko chisipo chenyika uye kukonzeresa script yavo kuti iitwe semudzi.
Systemd-networkd yakagadzirirwa kumhanyisa chete system handler zvinyorwa zviri mu/etc/networkd-dispatcher dhairekitori uye isingasvikike pakutsiviwa nemushandisi, asi nekuda kwekusagadzikana (CVE-2022-29799) mune faira nzira yekugadzirisa kodhi, pakanga paine mukana wekubuda-kwe-mabhesi dhairekitori uye kuvhura zvinyorwa zvisingaite. Kunyanya, pakugadzira nzira yefaira kune script, iyo OperationalState uye AdministrativeState tsika dzakafambiswa kuburikidza neD-Bhazi dzakashandiswa, umo akakosha mavara asina kucheneswa. Anorwisa anogona kuburitsa nyika yake aine mavara "../" muzita rayo uye anodzosera iyo networkd-dispatcher kufona kune imwe dhairekitori.
Kusagadzikana kwechipiri (CVE-2022-29800) kune hukama nemamiriro emujaho - pakati pekutarisa script paramita (yemidzi) nekuimhanyisa, pakanga paine nguva pfupi, yakakwana kutsiva faira uye kunzvenga cheki kana script ndeyemudzi wemushandisi. Mukuwedzera, networkd-dispatcher haina kutarisa kune zvekufananidzira zvinongedzo, kusanganisira kana uchimhanyisa zvinyorwa kuburikidza ne subprocess.Popen call, iyo yakanyanya kurerutsa sangano rekurwisa.
Operating technique:
- Dhairekitori "/tmp/nimbuspwn" uye chinongedzo chinongedzo "/tmp/nimbuspwn/poc.d" zvakasikwa zvichinongedza kudhairekitori "/sbin", rinoshandiswa kutarisa mafaera anogona kuitiswa ane mudzi.
- Kune mafaera anogona kuitiswa kubva ku "/ sbin", mafaera ane zita rimwechete anogadzirwa mu "/tmp/nimbuspwn" dhairekitori, semuenzaniso, yefaira "/ sbin/vgs" faira rinoitwa "/tmp/nimbuspwn/vgs" yakagadzirwa, ndeyemushandisi asina kurongeka, iyo iyo kodhi iyo anorwisa anoda kumhanyisa inoiswa.
- Chiratidzo chinotumirwa kuburikidza neD-Bus kune networkd-dispatcher process ne OperationalState value yakaiswa ku "../../../tmp/nimbuspwn/poc". Kutumira chiratidzo mu "org.freedesktop.network1" namespace, kugona kubatanidza ma custom handlers ku systemd-networkd kwakashandiswa, semuenzaniso, kuburikidza ne manipulations ne gpgv kana epmd, kana munhu anogona kushandisa mukana wekuti systemd-networkd haisi kushanda ne default (semuenzaniso, mu Linux Mint).
- Mushure mekugamuchira chiratidzo, Networkd-dispatcher inovaka runyoro rwemafaira anogona kutevedzerwa ane mudzi wemushandisi uye anowanikwa mudhairekitori "/etc/networkd-dispatcher/../../../tmp/nimbuspwn/poc.d", iyo inonyatso batanidza ne "/sbin".
- Panguva iyo iyo rondedzero yemafaira yagamuchirwa, asi script haisati yatangwa, chinongedzo chekufananidzira chinodzoserwa kubva ku "/tmp/nimbuspwn/poc.d" kuenda ku "/tmp/nimbuspwn" uye networkd-dispatcher ichavhura iyo. script inotambirwa neanorwisa ane midzi kodzero.
Source: opennet.ru
