00:00 - Introduction talking about what the Looney Tunable exploit is and my thoughts on the severity of the exploit
02:30 - Start talking about how the vulnerability works
04:00 - The POC String to identify if a box is vulnerable, it doesn't actually exploit but quickly identifies if a vulnerable glibc is installed
05:45 - Important parts I wanted to point out in the technical writeup.
09:00 - Downloading a good POC written in python, then glancing over the code to make sure there isn't anything malicious
13:37 - Analyzing the exit shellcode manually in Ghidra to see it just exits with 0x66
18:50 - Analyzing the main shellcode in Ghidra, showing it does a lot more
21:50 - Putting the Shellcode into an elf binary, so we can analyze it with gdb
29:50 - Logging into HTB's TwoMillion machine to run this exploit
31:45 - Showing how to get the magic numbers incase your target is not supported. Disable ASLR then running the exploit
34:50 - Looking at how Elastic got lucky and detected this exploit with their default ruleset
36:00 - Looking at how CrowdSec detects it
36:55 - Looking at the more recent Elastic rules to see the more thorough check for this exploit
40:40 - Showing all the segfaults in /var/log/kern.log
Highlighted Links:
- Qualsys Blog Post: https://blog.qualys.com/vulnerabilities-threat-research/2023/10/03/cve-2023-4911-looney-tunables-local-privilege-escalation-in-the-glibcs-ld-so
- Qualsys Tech Details: https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt
- Exploit POC Tweet: https://twitter.com/bl4sty/status/1710634253518582047
- Elastic Initial Detection Tweet: https://twitter.com/RFGroenewoud/status/1709866613292282101
- Crowdsec Detection Tweet: https://twitter.com/Crowd_Security/status/1709959368467157244
Support the originator by clicking the read the rest link below.
