Merge pull request #8476 from nybble04/cve-2023-4911

CVE-2023-4911 Looney Tunables Linux Local Privesc
2023-11-07 15:58:51 +05:30 · 2023-11-07 15:58:51 +05:30 · 88d784ac61
parent cd4c5a3853 128e7d1e1d
commit 88d784ac61
1 changed files with 35 additions and 0 deletions
--- a/code/cves/CVE-2023-4911.yaml
+++ b/code/cves/CVE-2023-4911.yaml
@ -0,0 +1,35 @@
+id: CVE-2023-4911
+
+info:
+  name: Looney Tunables Linux - Local Privilege Escalation
+  author: nybble04
+  severity: high
+  description: |
+    A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-4911
+    - https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt
+    - https://www.youtube.com/watch?v=1iV-CD9Apn8
+  classification:
+    cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 7.8
+    cve-id: CVE-2023-4911
+    cwe-id: CWE-787
+    cpe: cpe:2.3:a:gnu:glibc:-:*:*:*:*:*:*:*
+  metadata:
+    vendor: glibc
+  tags: cve,cve2023,glibc,looneytunables,linux,privesc,local
+
+self-contained: true
+code:
+  - engine:
+      - sh
+      - bash
+    source: |
+      env -i "GLIBC_TUNABLES=glibc.malloc.mxfast=glibc.malloc.mxfast=A" "Z=`printf '%08192x' 1`" /usr/bin/su --help
+      echo $?
+
+    matchers:
+      - type: word
+        words:
+          - "139"     # Segmentation Fault Exit Code