Now that is not a heading I thought I would ever write… I mean 20 years ago imagining that Microsoft would be working with Linux to the point where it would find and report a bug in Linux was unimaginable. For the longest time MS considered Linux to be a massive danger to it’s operations which is why former Microsoft CEO Steve Ballmer famously branded Linux “a cancer that attaches itself in an intellectual property sense to everything it touches” back in 2001. However that has now changed and Windows now has a Windows Subsystem for Linux (wsl) that allows users to run Linux programs from within Windows seamlessly.
This particular flaw which is tracked as CVE-2022-29799 and CVE-2022-29800 combine threats including directory traversal, symlink race, and time-of-check time-of-use (TOCTOU) race condition to gain root access. It was found when a Microsoft researcher Jonathan Bar Or was examining the code for a component known as “_run_hooks_for_state”. The flow to exploit would look something like the following (Thanks ARS Technica for the walkthrough):
Prepare a directory ”/tmp/nimbuspwn” and plant a symlink ”/tmp/nimbuspwn/poc.d“ to point to “/sbin”. The “/sbin” directory was chosen specifically because it has many executables owned by root that do not block if run without additional arguments. This will abuse the symlink race issue we mentioned earlier.
For every executable filename under “/sbin” owned by root, plant the same filename under “/tmp/nimbuspwn”. For example, if “/sbin/vgs” is executable and owned by root, plant an executable file “/tmp/nimbuspwn/vgs” with the desired payload. This will help the attacker win the race condition imposed by the TOCTOU vulnerability.
Send a signal with the OperationalState “../../../tmp/nimbuspwn/poc”. This abuses the directory traversal vulnerability and escapes the script directory.
The networkd-dispatcher signal handler kicks in and builds the script list from the directory “/etc/networkd-dispatcher/../../../tmp/nimbuspwn/poc.d”, which is really the symlink (“/tmp/nimbuspwn/poc.d”), which points to “/sbin”. Therefore, it creates a list composed of many executables owned by root.
Quickly change the symlink “/tmp/nimbuspwn/poc.d” to point to “/tmp/nimbuspwn”. This abuses the TOCTOU race condition vulnerability—the script path changes without networkd-dispatcher being aware.
The dispatcher starts running files that were initially under “/sbin” but in truth under the “/tmp/nimbuspwn” directory. Since the dispatcher “believes” those files are owned by root, it executes them blindly with subprocess.Popen as root. Therefore, our attacker has successfully exploited the vulnerability.
The vulnerability has been patched in the networkd-dispatcher and users running vulnerable systems should patch immediately.
Source: Microsoft finds Linux desktop flaw that gives root to untrusted users
– Suramya