Looking into the Looney Tunable Linux Privesc CVE-2023-4911

00:00 – Introduction talking about what the Looney Tunable exploit is and my thoughts on the severity of the exploit
02:30 – Start talking about how the vulnerability works
04:00 – The POC String to identify if a box is vulnerable, it doesn’t actually exploit but quickly identifies if a vulnerable glibc is installed
05:45 – Important parts I wanted to point out in the technical writeup.
09:00 – Downloading a good POC written in python, then glancing over the code to make sure there isn’t anything malicious
13:37 – Analyzing the exit shellcode manually in Ghidra to see it just exits with 0x66
18:50 – Analyzing the main shellcode in Ghidra, showing it does a lot more
21:50 – Putting the Shellcode into an elf binary, so we can analyze it with gdb
29:50 – Logging into HTB’s TwoMillion machine to run this exploit
31:45 – Showing how to get the magic numbers incase your target is not supported. Disable ASLR then running the exploit
34:50 – Looking at how Elastic got lucky and detected this exploit with their default ruleset
36:00 – Looking at how CrowdSec detects it
36:55 – Looking at the more recent Elastic rules to see the more thorough check for this exploit
40:40 – Showing all the segfaults in /var/log/kern.log

Highlighted Links:
– Qualsys Blog Post: https://blog.qualys.com/vulnerabilities-threat-research/2023/10/03/cve-2023-4911-looney-tunables-local-privilege-escalation-in-the-glibcs-ld-so
– Qualsys Tech Details: https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt
– Exploit POC Tweet: https://twitter.com/bl4sty/status/1710634253518582047
– Elastic Initial Detection Tweet: https://twitter.com/RFGroenewoud/status/1709866613292282101
– Crowdsec Detection Tweet: https://twitter.com/Crowd_Security/status/1709959368467157244