We covered and explained CVE-2023-4911 Looney Tunables that affects mostly all Linux distributions and allows an attacker to escalate privileges to root. The vulnerability impacts the GNU C Library’s dynamic loader, known as ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges. We used a lab setup specifically to try this exploit using TryHackMe.

LD.SO: The dynamic linker/loader

Get OSCP Notes

Whenever you execute an ELF file that depends on shared libraries (.so files), the operating system will need to load such libraries and link them to your executable so that any shared functions are available to your program during its execution. In Linux systems, this is normally managed by ld.so, an executable prepackaged as part of the glibc library.

Every ELF executable contains a section named .interp, where the location of its required loader is specified so that the operating system knows which specific loader to use.

CVE-2023-4911 Vulnerability Exploitation

We will dig more into the exploitation phase using the following PoC.

  1. Environment Variables Setup

    The exploit creates different arrays (line 41), which will be used later to store the GLIBC_TUNABLES environment variables and trigger the buffer overflow in glibc when the program is executed.
  2. Environment Variables Craftingfiller: This variable is created to pad away the loader’s read-write section. It’s filled with a long sequence of ‘F’ characters (‘F’). (lines 17-23)
    kv: This variable is the payload that will trigger the buffer overflow. It’s filled with a long sequence of ‘A’ characters (‘A’). (lines 27-33)
    filler2: Similar to filler, this variable is used to pad away any extra portions. It’s also filled with a sequence of ‘F’ characters. (lines 37-43)
    dt_rpath: This variable is used to craft a specific value -0x14ULL to overwrite memory regions in the exploitation process. (lines 47-53)All those variables will be copied to the envp array, which contains environment variables.
  3. Weaponization

    The payload in GLIBC_TUNABLES does the following to ld.so: It overwrites a segment of the stack with an index pointing to a string with " as its content. The intention here is to manipulate the stack so that the index points to a specific memory address where the character ” (a double quote) is stored. The stack is a region of memory used for storing local variables and function call information during program execution. To add to the exploit’s complexity, modern operating systems randomize the stack’s location, making it difficult to predict where the index will end up in memory.
  4. Exploitation:
    The exploit uses a trial-and-error approach to account for the randomness of the stack’s location. It repeatedly runs the program (forking and executing it) until it gets lucky and the fixed address 0x7ffdfffff030 matches the address where the stack index points to “. This effectively manipulates the library search path to point to the directory named " which will contain a malicious version of lib6.so.
    The process for generating the forged libc6.so consists of copying libc6.so but replacing the __libc_start_main function with a custom shellcode that does setuid(0) + setgid(0) + exec('/bin/sh'). You can find the Python script for this here.
    The program enters a loop where it forks a child process: In the child process, it attempts to execute /usr/bin/su with --help. If the child process takes longer than one second, it assumes that it is returning from a shell, indicating a potential successful exploit.

CVE-2023-4911 Mitigation

If you can’t patch, follow the instructions this link for mitigation

CVE-2023-4911  Remediation

Patching your system is the best and only way to remediate.

Room Answers

What’s the value of the flag in /root/root.txt?

Video Walkthrough

About the Author

I create cybersecurity notes, digital marketing notes and online courses. I also provide digital marketing consulting including but not limited to SEO, Google & Meta ads and CRM administration.

View Articles