CarderPlanet
Professional
- Messages
- 2,549
- Reaction score
- 724
- Points
- 113
Qualys has identified a dangerous vulnerability (CVE-2023-4911) in the linker ld.so, supplied as part of the Glibc system C library (GNU libc). The vulnerability, codenamed "Looney Tunables", allows a local user to raise their privileges in the system by specifying specially designed data in the GLIBC_TUNABLES environment variable before running an executable file with the suid root flag, for example, /usr / bin/su.
The possibility of successful exploitation of the vulnerability was demonstrated in Fedora 37 and 38, Ubuntu 22.04 and 23.04, Debian 12 and 13. It is assumed that the vulnerability is also present in any other distributions that use Glibc. Distributions based on the Musl system C library, such as Alpine Linux, are not affected. The vulnerability was fixed in a patch added on October 2.
The vulnerability is caused by a change introduced in April 2021 and included in the glibc 2.34 release. Due to an error in the parsing code of the string specified in the GLIBC_TUNABLES environment variable, an incorrect combination of parameters in this variable causes the parsed value to be written out of the allocated buffer. The problem occurs when instead of the standard "name=val" sequences, the parameters are set in the form with a double assignment "name=name=val". In this case, the assignment is processed twice, first as " name=name=val "and then as"name=val". Because of this double processing, the result "name=name=val:name=val" is generated, the size of which exceeds the size of the tunestr buffer.
Researchers have prepared a stable working exploit that allows you to get root rights when used with almost any program with the suid root flag. The exceptions are the sudo utility (changes the ELF RUNPATH value), the chage and passwd utilities in Fedora (protected by separate SELinux rules), and the snap-confine utility in Ubuntu (protected by separate AppArmor rules). The proposed method of exploitation also does not work in RHEL 8 and RHEL 9, although these branches are vulnerable (the attack requires the creation of a different exploit). The exploit code will be published later after the vulnerability is fully resolved. You can check the vulnerability of your system with the specified command below, which will crash if there is a problem:
Two other vulnerabilities were also fixed in Glibc:
• CVE-2023-4806 - access to an already freed memory area (use-after-free) in the getaddrinfo () function, which occurs when the NSS plugin implements only the "_gethostbyname2_r" and "_getcanonname_r" callbacks, but does not support the "_gethostbyname3_r"call. To exploit the vulnerability, the DNS server must return a large number of IPv6 and IPv4 addresses for the requested host, which will crash the process that called the getaddrinfo function for the AF_INET6 family when setting the AI_CANONNAME, AI_ALL, and AI_V4MAPPED flags.
• CVE-2023-5156 - memory contents leak when calling the getaddrinfo function for the AF_INET6 address family with the AI_CANONNAME, AI_ALL, and AI_V4MAPPED flags set.
The possibility of successful exploitation of the vulnerability was demonstrated in Fedora 37 and 38, Ubuntu 22.04 and 23.04, Debian 12 and 13. It is assumed that the vulnerability is also present in any other distributions that use Glibc. Distributions based on the Musl system C library, such as Alpine Linux, are not affected. The vulnerability was fixed in a patch added on October 2.
The vulnerability is caused by a change introduced in April 2021 and included in the glibc 2.34 release. Due to an error in the parsing code of the string specified in the GLIBC_TUNABLES environment variable, an incorrect combination of parameters in this variable causes the parsed value to be written out of the allocated buffer. The problem occurs when instead of the standard "name=val" sequences, the parameters are set in the form with a double assignment "name=name=val". In this case, the assignment is processed twice, first as " name=name=val "and then as"name=val". Because of this double processing, the result "name=name=val:name=val" is generated, the size of which exceeds the size of the tunestr buffer.
Researchers have prepared a stable working exploit that allows you to get root rights when used with almost any program with the suid root flag. The exceptions are the sudo utility (changes the ELF RUNPATH value), the chage and passwd utilities in Fedora (protected by separate SELinux rules), and the snap-confine utility in Ubuntu (protected by separate AppArmor rules). The proposed method of exploitation also does not work in RHEL 8 and RHEL 9, although these branches are vulnerable (the attack requires the creation of a different exploit). The exploit code will be published later after the vulnerability is fully resolved. You can check the vulnerability of your system with the specified command below, which will crash if there is a problem:
Code:
env -i "GLIBC_TUNABLES=glibc.malloc.mxfast=glibc.malloc.mxfast=A" "Z=`printf '%08192x' 1`" /usr/bin/su --helpTwo other vulnerabilities were also fixed in Glibc:
• CVE-2023-4806 - access to an already freed memory area (use-after-free) in the getaddrinfo () function, which occurs when the NSS plugin implements only the "_gethostbyname2_r" and "_getcanonname_r" callbacks, but does not support the "_gethostbyname3_r"call. To exploit the vulnerability, the DNS server must return a large number of IPv6 and IPv4 addresses for the requested host, which will crash the process that called the getaddrinfo function for the AF_INET6 family when setting the AI_CANONNAME, AI_ALL, and AI_V4MAPPED flags.
• CVE-2023-5156 - memory contents leak when calling the getaddrinfo function for the AF_INET6 address family with the AI_CANONNAME, AI_ALL, and AI_V4MAPPED flags set.
