Looking into the Looney Tunable Linux Privesc CVE-2023-4911

00:00 - Introduction talking about what the Looney Tunable exploit is and my thoughts on the severity of the exploit 02:30 - Start talking about how the vulnerability works 04:00 - The POC String to identify if a box is vulnerable, it doesn't actually exploit but quickly identifies if a vulnerable glibc is installed 05:45 - Important parts I wanted to point out in the technical writeup. 09:00 - Downloading a good POC written in python, then glancing over the code to make sure there isn't anything malicious 13:37 - Analyzing the exit shellcode manually in Ghidra to see it just exits with 0x66 18:50 - Analyzing the main shellcode in Ghidra, showing it does a lot more 21:50 - Putting the Shellcode into an elf binary, so we can analyze it with gdb 29:50 - Logging into HTB's TwoMillion machine to run this exploit 31:45 - Showing how to get the magic numbers incase your target is not supported. Disable ASLR then running the exploit 34:50 - Looking at how Elastic got lucky and detected this exploit with their default ruleset 36:00 - Looking at how CrowdSec detects it 36:55 - Looking at the more recent Elastic rules to see the more thorough check for this exploit 40:40 - Showing all the segfaults in /var/log/kern.log Highlighted Links: - Qualsys Blog Post: https://blog.qualys.com/vulnerabilities-threat-research/2023/10/03/cve-2023-4911-looney-tunables-local-privilege-escalation-in-the-glibcs-ld-so - Qualsys Tech Details: https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt - Exploit POC Tweet: https://twitter.com/bl4sty/status/1710634253518582047 - Elastic Initial Detection Tweet: https://twitter.com/RFGroenewoud/status/1709866613292282101 - Crowdsec Detection Tweet: https://twitter.com/Crowd_Security/status/1709959368467157244