Microsoft Discovers Nimbuspwn Privilege Escalation Vulnerability on Linux Systems Granting Hackers Root Permissions

Microsoft discovered a privilege escalation vulnerability in Linux environments that could allow an attacker to take over computer systems.

The vulnerabilities collectively referred to as Nimbuspwn could be chained together to gain root privileges, allowing an attacker to create backdoors, deploy malicious payloads, and perform root code execution.

Microsoft says Nimbuspwn vulnerabilities could potentially be leveraged as a vector for ransomware deployment and other sophisticated threats, including nation-state cyber-espionage.

Nimbuspwn Linux privilege escalation vulnerability explained

Microsoft 365 defender research team began by listening to messages on the system bus leading them to review the code for the networkd-dispatcher.

They discovered information leaks via Directory Info Disclosure in Blueman and Directory Info Disclosure in PackageKit (CVE-2022-0987). Further probes led to the discovery of more issues on the networkd-dispatcher whose daemon runs at boot with root privileges.

A review of networkd-dispatcher code led to the discovery of directory traversal, symlink race, and time-of-check-time-of-use race conditions.

Microsoft says the networkd-dispatcher daemon used the “_run_hooks_for_state” method to discover and run scripts depending on the network state.

The method returns executable script files from the “/etc/networkd-dispatcher/.d” owned by the root user and the root group. The daemon then runs each script using the subprocess.Popen process.

Vulnerabilities in the networkd-dispatcher components:

  • The use of symbolic links – Microsoft discovered that the subprocess.Popen follows symbolic links in the discovery and running of scripts in the base directory.
  • Directory traversal vulnerability (CVE-2022-29799) – Microsoft discovered that the control flow fails to sanitize the OperationalState and the AdministrativeState states. Since the states are responsible for creating the executable script paths, an attacker could escape the “/etc/networkd-dispatcher” directory using the “../../” directory traversal patterns.
  • Time-of-check-time-of-use race condition (CVE-2022-29800) – Microsoft discovered a time gap between the discovery and execution of the root…