Dbus-1.0 Exploit <UHD 2024>

# Introspect the Bluetooth adapter introspection = await bus.introspect('org.bluez', '/org/bluez/hci0')

The vendor copied policy files from an old BlueZ version that trusted user="root" only, but they ran the Bluetooth daemon as root and forgot to add <deny user="*"/> for sensitive methods. The RegisterAgent method does not check if the caller has the CAP_NET_ADMIN capability. Part 5: Persistence and Lateral Movement Once you have D-Bus method execution on a privileged service, persistence becomes elegant. The Systemd Trap Systemd exposes org.freedesktop.systemd1.Manager on the system bus. A successful exploit chain can call: dbus-1.0 exploit

If the service does: sprintf(command, "rsync -av %s %s:/backup/", source_path, dest_host) An attacker sends: source_path = "/etc/shadow; id" (type STRING ) and dest_host = "localhost" . # Introspect the Bluetooth adapter introspection = await bus

# Craft a method call to a method that normally requires admin # but is mis-policy'd: "SetProperty" on the adapter to force discoverable msg = Message( destination='org.bluez', path='/org/bluez/hci0', interface='org.freedesktop.DBus.Properties', member='Set', signature='ssv', body=['org.bluez.Adapter1', 'Discoverable', Variant('b', True)] ) The Systemd Trap Systemd exposes org

We will use the dbus-next library for modern asyncio support.

busctl introspect org.freedesktop.NetworkManager /org/freedesktop/NetworkManager More powerful is monitoring the bus in real-time: