CVE-2023-4911 Looney Tunables Glibc Linux Privilege Escalation | Update Your Linux Now !

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
what's going on guys welcome back to this video today we're going to talk about a very recent vulnerability that was published on 3 October this month it was like 7 days ago it is cve 2023 4911 this cve affects nearly all Linux distributions and it is classified as Heap buffer overflow vulnerability so basically all Linux users need to update their systems immediately because this vulnerability nearly affects all distributions and it's very dangerous one let's talk about this vulnerability so the first thing we're going to talk about guys is what it affects and how it affects the Linux distributions the first thing as you can see it's buffer overflow vulnerability was discovered in GNC libraries Dynamic loader so this Dynamic loader LD Doo this loader is responsible for providing the uh required shared libraries for any executable when it is run on Linux it is normally known as LD Doo the vulnerability poses guys a significant risk since it allows escalating the Privileges of a logged on user and obtaining full control of the vulnerable machine so this vulnerability allow allows any non-privileged user okay to escalate from any user into root okay nearly on as you can see this is the page of red hot as you can see it affects uh so in this page here let's scroll down and see what our Divergence so we successfully exploited this vulnerability and obtained full rout privileges on the default installations of Fedora 37 38 you bone to and dbn and other distributions are probably also vable and exploitable as well one notable exception is Alpine Linux so nearly it affects all Linux distributions when it comes to Red Hot affects as you can see here this varability well introduced in G gpsy version 2.34 Red Heart 8 ships jopy 2.28 which is not originally affected by this vulnerability however the commit that introduced this vulnerability was backported to rhl 8.5 making dis verion and orward vulnerable so if you are using redot 8.5 and onwards you have to update if you're using 8.4 and older you don't have to update so that's for red hot now if you are using Fedora 37 30 8 youto 22.4 23.04 dban 12 and3 13 you have to update look whatever Linux distribution you have just update except red hot make sure uh to know what version you are in because if you're using 8.4 and older you don't have to update so these are the affected Linux distributions by this vulnerability and we said earlier it allows a local attacker meaning someone who has compromised a Linux machine they allow the vulnerability allows them to escalate from a local user into a root user so what are the prerequisites so what the attacker needs to achieve root uh privileges on theable machine so this is a proof of concept here so what the attacker needs is an exploit code and a python script so obviously guys the python script will generate a malicious loader meaning we talked about this earlier it will generate a malicious um loader file in this case it's ldo this is the original ldo or the uh loader that Linux distributions use to allocate the shared libraries for an executable to run what you have to do you have to use the python script to elevate uh to create similar one but malicious one of course and then compile the exploit code and execute on the vulnerable machine all right so let's go over the exploit code here so we go to exploit C so this is the exploit code so if we go to line 41 here the exploit creates different arrays as you can see which will be used later to store the gpy T or gpy two Nables so remember that the uh so here in need to Del the damic loader while processing the GPC to enables environment variable so this environment variable guys uh is searched and processed whenever you execute any uh binary on Linux so and it is very related to the uh loader here so here we create many arrays because we want to use them later to store the GPC to enables environment variables and variable and Trigger the buffer overflow in the gpy when the program is executed now other important part of this exploit code is this part so we have this variable filler this variable is created to pad away the loaders read write section it's filled with a long sequence of f characters and then we have let's scroll down we have filler two here so the filler two is similar to filler one or filler this variable is also used to pad away any extra portions it's filled also with a sequence of f characters uh let's see as well what other important variables we have we have this so DT underscore our path this variable is used to craft a specific value to overwrite memory regions during the exploitation process okay so this is the exploit code and some important parts uh or important variables of the exploit we have this look at this the KV BF size this K is the variable here is the payload that will trigger the buffer overflow guys it's filled with long sequence of A's so these are necessary variables to performed exploitation laid down in the exploit code so here this is the python script used to generate the malicious library or the malicious loader all right so what do we need to do here we need now to go and test this so luckily for us trackme has a dedicated machine called Loney tunables this machine allows you to practice the exploitation of this vulnerability so once you connect with the vulnerable machine as you can see you have the exploit code and you have the python script that will be used to generate the malicious loader okay so what you have to do you have first to generate the malicious loader so basically guys the malicious loader is not always LD Doo we have to uh find what it is per machine depending on the machine so it's very safe to First find out what is the uh loader for every binary okay so remember guys that uh this um uh uh vulnerability here requires as you can see here this issue could allow a local attacker to use maliciously crafted G Loop C to enables environment variables we talked about this in exploit code when launching binaries with Su permission to execute code with elevated privileges so it looks for binaries with s permission and it executes the code with elevated privileges by generating malicious gpy to enables environment variables we explain them here these ones so now let's go back and generate the uh shared or the malous load by the way you can find out the uh loader used in any Linux distribution for any binary using read EF so read EF let's say you want to find this for um user bin man b-p as you can see this is the loader that's the loader used to uh for this binary okay now if you go back to the exploit to the uh python script so here this is the OS Linux architecture and this is the lip C so this is the as you can see this is the loader defined in the uh binary or in the exploit script and then we have the use shell craft to create the Shell Code and that's it so you may change this according to the output you find so here is the same here is six here we have two depend it depends on the binary now we target binaries with SE permissions okay so let's now execute the python script and generate the malicious shared or the malous loader so so Pi enabled as you can see NX enabled most most protections are enabled so now we have to combine the exploit code which we have here so GCC d o exploit and now we have the necessary files we have de loader and we have the exploit code now we make sure that there are enough permissions to exploit to to execute the exploit and then we execute for for for okay let's analyze what happened as you can see we have try 100 try 200 300 400 so what is all all that so basically the exploit uses trial and error approach to account for the fact that the uh uh Stacks location are changed every time so as you can see we have NX enabled and we have position independent executable enabled so we explain these in the binary exploitation track from hag box so based on the fact that there are protections here what's the what's the Expo is doing it is actually repeatedly running the program forking and executing it right until it gets a fixed address on the stack that's why we have too many tries here it is just looking for an address or a fixed address on the stack and this what happens here this effectively manipulates the library search path to point to the directory named Double codes here so so if we check the exploit code back again uh look at this line so basically the process for generating the forged lipo here we talked about earlier consists of copying lip six so this one but replacing the lip start main here where is this one yeah with a custom shell code we generate from here that's what is happening guys and this in turn will execute B so if you go back and see if P has been executed ID and it is root previously it was no privilege so PWD LS okay look at this one this wasn't here before it is a directory that is named as double codes so what is that so this is guys because we as I said earlier the exploit is executing again and again until it finds um a fixed address on the stack this effectively manipulates the library search path we want to point the search path okay for the the library we want it to point to the double double Coates directory here so that it finds the uh Library we have generated instead of the original one we want to use the malicious Library we generated okay which in turn will generate malicious gpy tunables that will in turn Elevate the Privileges from uh no privilege into root so it's kind of for Loop right until it finds the appropriate address on the stack which will search for this path and this path contains the shared malicious shared Library we have just generated uh okay so that's for the exploitation part now in the room here we required to find the root flag so let's find the root flag so that is the the flag all right now if you go to this page here if you want more details on how this works you can read this page there is analysis uh of the full exploit code and this is the proof of concept now how to patch you just have to update now for for um red hot I told you guys everything before 8.4 you don't have to update everything 8.5 and onward you have to update and there is a mitigation explain here if you cannot update uh for red hot users okay guys so that was it I hope you enjoyed the video and I'm going to see you later
Info
Channel: Motasem Hamdan
Views: 1,702
Rating: undefined out of 5
Keywords:
Id: lv4e742FR_8
Channel Id: undefined
Length: 17min 55sec (1075 seconds)
Published: Tue Oct 10 2023
Related Videos
A Vulnerability to Hack The World - CVE-2023-4863
LiveOverflow
100K
Looking into the Looney Tunable Linux Privesc CVE-2023-4911
IppSec
23K
Linux Red Team Privilege Escalation Techniques - Kernel Exploits & SUDO Permissions
HackerSploit
27K
WordPress XXE Vulnerability | CVE-2021-29447 TryHackMe
Motasem Hamdan
16K
Linux Privilege Escalation Jr Pentester THM
CyberPro Tec
11K
Dirty Pipe - CVE-2022-0847 - Linux Privilege Escalation
HackerSploit
47K
TryHackMe! Abusing SETUID Binaries - Vulnversity
John Hammond
140K
CVEs Uncovered: Sudoedit Privilege Escalation (CVE-2023-22809)
CYBER RANGES
576
Hacking Linux // Linux Privilege escalation // Featuring HackerSploit
David Bombal
78K
BASH scripting will change your life
NetworkChuck
969K
Linux Privilege Escalation for Beginners
The Cyber Mentor
114K
TryHackMe! EternalBlue/MS17-010 in Metasploit
John Hammond
261K
Software Engineers, stop worrying about layoffs.
Engineering with Utsav
31K
Bug Bounty bootcamp // Get paid to hack websites like Uber, PayPal, TikTok and more
David Bombal
153K
let’s play with a ZERO-DAY vulnerability “follina”
NetworkChuck
493K
Linux Privilege Escalation For Beginners | Nebula Exploit Exercises Walkthrough | Level 01-12
Motasem Hamdan
382
TryHackMe! Ninja Skills - Bash like a Pro
Jason Turley
976
The Hunt for CVE-2023-0286: Replicating OpenSSL's Latest Vulnerability
Fuzzing_in - Hardik Shah
1.7K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.