CVE-2022-29799 - How an Unsanitized Path in networkd-dispatcher Opened Up Linux Systems (with Exploit Example)

In 2022, a critical vulnerability was discovered in the networkd-dispatcher service used by many Linux systems. Known as CVE-2022-29799, this flaw allowed attackers to escape out of a restricted directory through a simple directory traversal attack, potentially taking full control of affected machines. In this article, we’ll break down how the vulnerability works, see a simple exploit, and link to additional resources for deeper dives.

What is networkd-dispatcher?

networkd-dispatcher is a daemon that listens for signals from systemd-networkd about network interface events (like up, down, or change). It helps automate scripts when a network changes, running executables from the /etc/networkd-dispatcher directory.

CVE-2022-29799 Vulnerability Explained

The main issue is that networkd-dispatcher does not sanitize input when deciding which scripts to run. Specifically, it trusts names provided in OperationalState or AdministrativeState, without cleaning them up.

If an attacker is able to set a network state to something like ../../../../evil.sh, the service looks for a script in /etc/networkd-dispatcher/../../../../evil.sh, which actually refers to /evil.sh on the root, escaping the intended safe directory.

__In simple terms__: instead of running safe scripts, the daemon might execute *any* script, anywhere on the system, if an attacker can control the state fields.

1. Malicious Script Placement

Suppose an attacker manages to write a file somewhere outside the dispatcher directory—perhaps /tmp/evil.sh:

echo -e '#!/bin/bash\necho Hacked! > /tmp/pwned' > /tmp/evil.sh
chmod +x /tmp/evil.sh

2. Trigger Network State Change

Now, using a vulnerable environment (with appropriate permissions), an attacker makes the system report a network state such as:

State='../../../../../../tmp/evil.sh'

The vulnerable networkd-dispatcher interprets this as

/etc/networkd-dispatcher/../../../../../../tmp/evil.sh

Which resolves (after path normalization) to

/tmp/evil.sh

And, runs the script with root privileges (if networkd-dispatcher runs as root), resulting in compromised system.

Here's a proof of concept Python snippet that simulates the exploit path construction

import os

base_dir = '/etc/networkd-dispatcher'
untrusted_name = '../../../../../../tmp/evil.sh'  # Attacker-controlled
final_path = os.path.normpath(os.path.join(base_dir, untrusted_name))

print('Trying to run:', final_path)
# Output: Trying to run: /tmp/evil.sh

If the program then blindly runs final_path, you are in trouble!

References

- Ubuntu Security Notice USN-5474-1
- Debian Security Tracker - CVE-2022-29799
- Original GitHub Issue
- NVD – CVE-2022-29799

How To Stay Safe

The fix is simple: always sanitize and validate the paths! Updated versions of networkd-dispatcher now check for directory traversals and refuse any path that leaves the base directory.

Upgrade immediately if you are running a vulnerable version.

Restrict who can control network interfaces

- Audit any scripts in /etc/networkd-dispatcher

Final Thoughts

Directory traversal bugs like CVE-2022-29799 remind us how easy it is to make dangerous assumptions with filesystem paths. All software that loads external scripts should double-check their logic, and never trust inputs—even ones that seem internal.

Timeline

Published on: 09/21/2022 19:15:00 UTC
Last modified on: 09/23/2022 17:24:00 UTC