We covered and explained CVE-2023-4911 Looney Tunables that affects mostly all Linux distributions and allows an attacker to escalate privileges to root. The vulnerability impacts the GNU C Library’s dynamic loader, known as ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges. We used a lab setup specifically to try this exploit using TryHackMe.
LD.SO: The dynamic linker/loader
Whenever you execute an ELF file that depends on shared libraries (
.so files), the operating system will need to load such libraries and link them to your executable so that any shared functions are available to your program during its execution. In Linux systems, this is normally managed by
ld.so, an executable prepackaged as part of the
Every ELF executable contains a section named
.interp, where the location of its required loader is specified so that the operating system knows which specific loader to use.
CVE-2023-4911 Vulnerability Exploitation
We will dig more into the exploitation phase using the following PoC.
- Environment Variables Setup
The exploit creates different arrays (line 41), which will be used later to store the
GLIBC_TUNABLESenvironment variables and trigger the buffer overflow in glibc when the program is executed.
- Environment Variables Crafting
filler: This variable is created to pad away the loader’s read-write section. It’s filled with a long sequence of ‘F’ characters (‘F’). (lines 17-23)
kv: This variable is the payload that will trigger the buffer overflow. It’s filled with a long sequence of ‘A’ characters (‘A’). (lines 27-33)
filler2: Similar to filler, this variable is used to pad away any extra portions. It’s also filled with a sequence of ‘F’ characters. (lines 37-43)
dt_rpath: This variable is used to craft a specific value
-0x14ULLto overwrite memory regions in the exploitation process. (lines 47-53)All those variables will be copied to the
envparray, which contains environment variables.
The payload in
GLIBC_TUNABLESdoes the following to ld.so: It overwrites a segment of the stack with an index pointing to a string with
"as its content. The intention here is to manipulate the stack so that the index points to a specific memory address where the character ” (a double quote) is stored. The stack is a region of memory used for storing local variables and function call information during program execution. To add to the exploit’s complexity, modern operating systems randomize the stack’s location, making it difficult to predict where the index will end up in memory.
The exploit uses a trial-and-error approach to account for the randomness of the stack’s location. It repeatedly runs the program (forking and executing it) until it gets lucky and the fixed address
0x7ffdfffff030matches the address where the stack index points to “. This effectively manipulates the library search path to point to the directory named
"which will contain a malicious version of
The process for generating the forged
libc6.soconsists of copying libc6.so but replacing the
__libc_start_mainfunction with a custom shellcode that does
setuid(0) + setgid(0) + exec('/bin/sh'). You can find the Python script for this here.
The program enters a loop where it forks a child process: In the child process, it attempts to execute
--help. If the child process takes longer than one second, it assumes that it is returning from a shell, indicating a potential successful exploit.
If you can’t patch, follow the instructions this link for mitigation
Patching your system is the best and only way to remediate.