Dbus-1.0 Exploit Now
The vendor copied policy files from an old BlueZ version that trusted user="root" only, but they ran the Bluetooth daemon as root and forgot to add <deny user="*"/> for sensitive methods. The RegisterAgent method does not check if the caller has the CAP_NET_ADMIN capability. Part 5: Persistence and Lateral Movement Once you have D-Bus method execution on a privileged service, persistence becomes elegant. The Systemd Trap Systemd exposes org.freedesktop.systemd1.Manager on the system bus. A successful exploit chain can call:
<policy user="nobody"> <allow own="com.vulnerable.Service"/> <allow send_destination="com.vulnerable.Service"/> </policy> If the policy is too permissive (e.g., allow user="*" ), any unprivileged local user can interact with a root-owned service. Before writing exploits, you need reconnaissance. The standard tool is busctl (from systemd) or the older gdbus . Silent Reconnaissance As an unprivileged user, you can list all services on the system bus without any authentication:
If the service does: sprintf(command, "rsync -av %s %s:/backup/", source_path, dest_host) An attacker sends: source_path = "/etc/shadow; id" (type STRING ) and dest_host = "localhost" . dbus-1.0 exploit
# Introspect the Bluetooth adapter introspection = await bus.introspect('org.bluez', '/org/bluez/hci0')
busctl --system tree org.bluez We find /org/bluez/hci0/dev_XX_XX_XX_XX_XX_XX – a connected device. The vendor copied policy files from an old
org.bluez – the BlueZ Bluetooth stack. Vulnerability: Many IoT vendors expose the AgentManager1 interface without the NoOutput capability check, allowing a local non-root user to pair with a device and then send arbitrary HCI commands.
Consider a fictional backup service that exposes a method: Backup.TransferFile(String source_path, String dest_host) The Systemd Trap Systemd exposes org
We will use the dbus-next library for modern asyncio support.
busctl list This returns a list of unique IDs (like :1.123 ) and well-known names (like org.freedesktop.NetworkManager ).