Recently, a new vulnerability, CVE-2022-29800, has been discovered in networkd-dispatcher, which is a critical component in the networking stack for many Linux-based systems. This vulnerability is caused by a time-of-check-time-of-use (TOCTOU) race condition and can be exploited by attackers to replace legitimate scripts assumed to be owned by root with malicious ones. In this long-read post, we will discuss the details of this vulnerability, including code snippets, original references, and exploit information. Understanding these vulnerabilities and how they can be exploited is essential for securing systems and protecting users from potential attacks.
Background
Networkd-dispatcher is a daemon and a critical component for handling various network-related tasks like managing IP addresses, DHCP leases, and DNS configuration in many Linux distributions. In specific scenarios, networkd-dispatcher relies on running scripts placed by system administrators or package maintainers in specific directories for processing network events.
The flaw
The vulnerability (CVE-2022-29800) exists due to the TOCTOU race condition occurring between the discovery of scripts by networkd-dispatcher and when they are run. During this time, an attacker can exploit this flaw to replace the inode of the script that networkd-dispatcher believes to be owned by root by overwriting the script with malicious content.
The primary issue occurs when networkd-dispatcher checks the access permissions and ownership of a script before executing it. Here is a simplified code snippet of the affected portion from the networkd-dispatcher source code:
def find_scripts(path):
scripts = []
for entry in os.listdir(path):
full_path = os.path.join(path, entry)
if os.path.isfile(full_path) and os.access(full_path, os.X_OK):
st = os.stat(full_path)
if st.st_uid == :
scripts.append(full_path)
return scripts
def run_scripts(scripts):
for script in scripts:
subprocess.call(script)
scripts = find_scripts("/path/to/scripts")
run_scripts(scripts)
In the code snippet above, find_scripts function first lists all the files in a specific directory and then checks if each file is executable (os.access(full_path, os.X_OK)) and owned by root (st.st_uid == ). If the script passes both checks, it is added to the list of scripts to be executed.
After discovering all the scripts that meet these criteria, they are executed in sequence using the run_scripts function. However, there is a gap between the time when the find_scripts function completes scanning and when the run_scripts function starts execution. During this window, a malicious actor can exploit the TOCTOU race condition by replacing the legitimate script with a malicious one.
Exploit details
The exploit is achieved using a simple symlink attack. The attacker first creates a malicious script, not owned by root, that will be used to replace the legitimate script. Then, they continuously monitor the target directory for any inode changes in the scripts. When the legitimate script is found by networkd-dispatcher, the attacker quickly replaces the inode with the malicious script. As a result, when the run_scripts function is called, it unknowingly executes the malicious script, leading to arbitrary code execution with root privileges.
Prevention and mitigation
The best way to prevent this vulnerability is to patch the networkd-dispatcher software. Most Linux distributions have released updates that address this issue. However, suppose a patch is not available or cannot be applied immediately. In that case, administrators can monitor the networkd-dispatcher script directories for any suspicious activities or unauthorized changes and restrict user access to execute any other scripts.
The CVE-2022-29800 vulnerability was first reported on 2022-02-05 at the following resources
1. MITRE CVE entry
2. National Vulnerability Database (NVD) entry
If you are a system administrator or security professional, it is crucial that you treat this vulnerability seriously and apply the suitable patches or mitigations to ensure your systems' security and the safety of your users.
Timeline
Published on: 09/21/2022 19:15:00 UTC
Last modified on: 09/23/2022 17:16:00 UTC