Abacwaningi bezokuphepha abavela ku-Microsoft bahlonze ubungozi obubili (CVE-2022-29799, CVE-2022-29800) kusevisi ye-networkd-dispatcher, ebizwa ngokuthi i-Nimbuspwn, evumela umsebenzisi ongenalo ilungelo ukuthi akhiphe imiyalo engafanele ngamalungelo ezimpande. Inkinga ilungisiwe ekukhishweni kwe-networkd-dispatcher 2.2. Alukho ulwazi mayelana nokushicilelwa kwezibuyekezo ngokusatshalaliswa (Debian, RHEL, Fedora, SUSE, Ubuntu, Arch Linux).
I-Networkd-dispatcher isetshenziswa ekusabalaliseni okuningi kwe-Linux, okuhlanganisa Ubuntu, esebenzisa inqubo yangemuva ye-systemd-networkd ukuze ilungiselele imingcele yenethiwekhi, futhi yenza imisebenzi efana ne-NetworkManager-dispatcher, i.e. ihileleke ekuqaliseni imibhalo lapho isimo sokuxhumeka kwenethiwekhi sishintsha, isibonelo, isetshenziselwa ukuqalisa i-VPN ngemva kokusungulwa kokuxhumana kwenethiwekhi okuyinhloko.
Inqubo yangemuva ehlotshaniswa ne-networkd-dispatcher isebenza njengempande futhi ithola amasignali omcimbi nge-D-Bus. Ulwazi mayelana nezehlakalo ezihlobene nezinguquko esimweni sokuxhunywa kwenethiwekhi luthunyelwa isevisi ye-systemd-networkd. Inkinga ukuthi abasebenzisi abangenamalungelo bangakwazi ukukhiqiza umcimbi wesimo esingekho futhi bacuphe iskripthi sabo ukuthi sisetshenziswe njengempande.
I-Systemd-networkd yakhelwe ukusebenzisa kuphela imibhalo yesibambi sesistimu etholakala kuhla lwemibhalo /etc/networkd-dispatcher futhi engafinyeleleki ukuze kushintshwe umsebenzisi, kodwa ngenxa yokuba sengozini (CVE-2022-29799) kukhodi yokucubungula indlela yefayela, kube khona kungenzeka kube khona uhla lwemibhalo lwesisekelo esingaphandle kwemingcele kanye nokwethulwa kwemibhalo engafanele. Ikakhulukazi, lapho kwakhiwa indlela yefayela kuskripthi, kwasetshenziswa amanani we-OperationalState and AdministrativeState adluliswa nge-D-Bus, lapho izinhlamvu ezikhethekile zingasuswanga. Umhlaseli angakhiqiza esakhe isimo, igama laso eliqukethe izinhlamvu “../” futhi aqondise kabusha ikholi ye-networkd-dispatcher iye kolunye uhla lwemibhalo.
Ukuba sengozini kwesibili (i-CVE-2022-29800) kuhlobene nesimo somjaho - phakathi kokuhlola imingcele yeskripthi (eyezimpande) nokuyiqhuba, kube nesikhathi esifushane, esanele ukufaka ifayela esikhundleni nokudlula isheke ukuthi iskripthi singesomsebenzisi wempande. Ngaphezu kwalokho, i-networkd-dispatcher ayizange ihlole izixhumanisi ezingokomfanekiso, okuhlanganisa lapho isebenzisa izikripthi ngokusebenzisa ikholi ye-subprocess.Popen, eyenza kwaba lula kakhulu inhlangano yokuhlasela.
Indlela yokusebenza:
- Uhla lwemibhalo oluthi “/tmp/nimbuspwn” kanye nesixhumanisi esingokomfanekiso “/tmp/nimbuspwn/poc.d” kwakhiwa okukhomba kuhla lwemibhalo “/sbin”, olusetshenziselwa ukuhlola amafayela asebenzisekayo aphethwe yimpande.
- Kumafayela asebenzisekayo asuka ku-“/sbin”, amafayela anegama elifanayo adalwa kuhla lwemibhalo “/tmp/nimbuspwn”, isibonelo, kufayela elithi “/sbin/vgs” ifayela elisebenzisekayo “/tmp/nimbuspwn/vgs” okudalwe, okungekamsebenzisi ongenamalungelo, lapho kufakwa khona ikhodi umhlaseli afuna ukusebenzisa.
- Isiginali ithunyelwa nge-D-Bus kunqubo ye-networkd-dispatcher ebonisa inani “../../../tmp/nimbuspwn/poc” ku-OperationalState. Ukuthumela isignali endaweni yegama “org.freedesktop.network1”, ikhono lokuxhuma izibambi zayo ku-systemd-networkd lasetshenziswa, isibonelo, ngokukhohlisa nge-gpgv noma i-epmd, noma ungasebenzisa iqiniso lokuthi i-systemd-networkd ayisebenzi ngokuzenzakalelayo (ngokwesibonelo, ku-Linux Mint).
- Ngemva kokuthola isignali, i-Networkd-dispatcher yakha uhlu lwamafayela asebenzisekayo aphethwe umsebenzisi oyimpande futhi atholakala kuhla lwemibhalo “/etc/networkd-dispatcher/../../../tmp/nimbuspwn/poc.d”, empeleni exhumanisa "/sbin".
- Okwamanje lapho uhlu lwamafayela lutholwa, kodwa iskripthi singakaqaliswa, isixhumanisi esingokomfanekiso siqondiswa kabusha sisuka kokuthi “/tmp/nimbuspwn/poc.d” siye ku-“/tmp/nimbuspwn” futhi i-networkd-dispatcher izokwethula iskripthi esisingathwa umhlaseli onamalungelo empande.
Source: opennet.ru