id: CVE-2023-4911 info: name: Looney Tunables Linux - Local Privilege Escalation author: nybble04 severity: high description: | A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges. remediation: | Upgrade GNU C Library (glibc) to a version later than affected releases that fixes the buffer overflow in the dynamic loader's GLIBC_TUNABLES environment variable processing. impact: | Local attackers can execute arbitrary code with elevated privileges, potentially leading to full system compromise. reference: - https://nvd.nist.gov/vuln/detail/CVE-2023-4911 - https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt - https://www.youtube.com/watch?v=1iV-CD9Apn8 - http://www.openwall.com/lists/oss-security/2023/10/05/1 - http://www.openwall.com/lists/oss-security/2023/10/13/11 classification: cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 7.8 cve-id: CVE-2023-4911 cwe-id: CWE-787,CWE-122 epss-score: 0.64338 epss-percentile: 0.98463 cpe: cpe:2.3:a:gnu:glibc:*:*:*:*:*:*:*:* metadata: max-request: 1 vendor: gnu product: glibc tags: cve,cve2023,code,glibc,looneytunables,linux,privesc,local,kev,gnu,vkev,vuln self-contained: true code: - engine: - sh - bash source: | env -i "GLIBC_TUNABLES=glibc.malloc.mxfast=glibc.malloc.mxfast=A" "Z=`printf '%08192x' 1`" /usr/bin/su --help echo $? matchers: - type: word words: - "139" # Segmentation Fault Exit Code # digest: 4b0a00483046022100f42519e139c9d2bbac3266fdced55eb71559daba4ce675b2a07aab6f25bdc86b022100c5d6f35728040f4e0d43e48663cb6de3100d44e8ab7877d79b95511dbfa6f3df:922c64590222798bb761d5b6d8e72950