A typical vulnerable rule looks like this (simplified):
Because D-Bus serializes the string faithfully, the shell will execute the injection. Modern services should use execv or API calls, but legacy dbus-1.0 wrappers often used popen() . One of the most famous dbus-1.0 -adjacent exploits involved PolKit (pkexec). While not a D-Bus bug, the attack surface was D-Bus. An unprivileged user could send a carefully crafted D-Bus message to org.freedesktop.PolicyKit1 , causing a race condition where the privilege elevation was granted to a different process than the one requesting it. dbus-1.0 exploit
busctl introspect org.freedesktop.NetworkManager /org/freedesktop/NetworkManager More powerful is monitoring the bus in real-time: A typical vulnerable rule looks like this (simplified):