This tool performs several tests to determine whether the system is possibly vulnerable to Nimbuspwn (CVE-2022-29799 & CVE-2022-29800), a vulnerability in the networkd-dispatcher daemon discovered by the Microsoft 365 Defender Research Team.
A system is deemed possibly vulnerable to exploitation if the following conditions are met:
- The vulnerable service
networkd-dispatcherservice is running. - The
systemd-networkdservice is either not running or not set to run at next boot. Since this service owns theorg.freedesktop.network1bus on startup, an attacker will not be able to send messages on the bus if this service is running. - The
systemd-networkuser is in use. Specifically whether a process owned by this user is running, or that there exist setuid-executables owned by this user. An attacker must run code as thesystemd-networkuser in order to own theorg.freedesktop.network1bus name and exploit the vulnerability. The attacker may be able to subvert these processes and/or setuid-executables to run arbitrary code. Note that the existence of such processes or binaries does not guarantee they can be subverted for arbitrary code execution by an attacker.
./nimbuspwn-detector.sh [--full-suid]
The tool will check for the preconditions mentioned in the last section.
When the --full-suid flag is not given, relevant setuid-executables will be searched recursively under the /sbin and /usr/sbin directories only.
When the --full-suid flag is given, the search is performed recursively on the entire root volume (/).