DEV Community


Posted on

Nasty local privilege escalation on Linux Looney Tunables

This one is sneaky!

Successful exploits grant root privileges and the bug affects very popular Linux distros, like Debian, Ubuntu, Fedora, or Red Hat Enterprise Linux.

What is it?

Source: cve-2023-4911.

This buffer overflow targets the GNU C Library's dynamic loader and the environment variable GLIBC_TUNABLES (hence the name Looney Tunables).

Most UNIX systems rely on this component, and various programs use it to allocate memory or handle files.

Hackers use it to inject arbitrary code that will execute a SetUID binary and ultimately get a shell (in this case, a root shell!).

Check if you're vulnerable

env -i "GLIBC_TUNABLES=glibc.malloc.mxfast=glibc.malloc.mxfast=A" "Z=`printf '%08192x' 1`" /usr/bin/su --help
Enter fullscreen mode Exit fullscreen mode

You're vulnerable if you get something like "Segmentation fault (core dumped)."

Note that there might be simpler POCs that include ready-to-use Python scripts to reproduce the bug.

As usual, be careful, and run those scripts on a VM before (virtual machine), if possible.

Check the logs

Exploited systems should have some traces in the system logs, as most POCs I've seen use the trial-and-error approach.

Most SUID-root programs are concerned

Final note: the exploitation method described in this advisory works against almost all of the SUID-root programs that are installed by default on Linux

(Except a few exceptions)


Step back

This is a high-severity flaw, so patching glibc makes sense.

However, unlike what I've read in many blog posts, this is neither super easy to exploit nor "straightforward" (trial and error).

Besides, you need a local user to escalate privileges.

However, such attacks are still neglected (post-exploitation) by most users and organizations, so this CVE is a good reminder.

Top comments (0)