Qualys has identified a dangerous vulnerability (CVE-2023-6246) in the standard C library Glibc, which allows you to manipulate the launch of SUID applications to execute your code with elevated privileges. Researchers were able to develop a working exploit that allows you to gain root rights by manipulating command-line arguments when running the su utility.
The vulnerability is caused by a buffer overflow in the __vsyslog_internal () function, used when calling the syslog() and vsyslog () functions. The problem occurs due to an error when trying to output an application name that is too long via the SYSLOG_HEADER macro. When you try to expand the buffer based on a long name, an error occurs, after which data is written to the old buffer of the original smaller size.
When organizing an attack through the su utility, the attacker can change the process name when launching the application by replacing the argv[0] value, which is used to get information about the program name when output to the log, and achieve controlled overwriting of data outside the allocated buffer. Then overflow can be used to overwrite the nss_module structure in the nss library to create a shared library and load it as root.
The problem has been occurring since the glibc 2.37 release, published in August 2022, and includes a change that handles the situation of trying to write too large messages. The patch that introduces the vulnerability was backported to the glibc 2.36 branch and distribution packages with older versions of glibc, as this patch addressed the vulnerability CVE-2022-39046, which leads to a data leak from the heap. It turned out that fixing a non-dangerous vulnerability led to a critical problem. It is noteworthy that a similar vulnerability in the vsyslog() function from the libc 5.4.3 library was reported back in 1997.
The vulnerability was confirmed in Debian 12/13, Ubuntu 23.04 / 23.10 and Fedora 37-39. The work of the exploit for obtaining root rights by an unprivileged user is demonstrated in the fully updated Fedora 38 environment with all protection mechanisms enabled in the default configuration. The vulnerability can only be exploited locally, as it requires transmission of more than 1024 bytes via the argv[0] parameter or the ident argument in the openlog () function.
The vulnerability fix was included a few hours ago in the Glibc codebase and will be included in tomorrow's Glibc 2.39 update, along with two other vulnerabilities (CVE-2023-6779, CVE-2023-6780) that also affect the __vsyslog_internal() code and cause buffer overflows. Moreover, Qualys warned about detecting a buffer overflow in the implementation of the qsort () function, which was not classified by the Glibc developers as a vulnerability, since exploitation implies using an atypical comparison function that returns the difference of the compared parameters as an argument when calling qsort.
You can test the vulnerability of the system with the following command:
The vulnerability is caused by a buffer overflow in the __vsyslog_internal () function, used when calling the syslog() and vsyslog () functions. The problem occurs due to an error when trying to output an application name that is too long via the SYSLOG_HEADER macro. When you try to expand the buffer based on a long name, an error occurs, after which data is written to the old buffer of the original smaller size.
When organizing an attack through the su utility, the attacker can change the process name when launching the application by replacing the argv[0] value, which is used to get information about the program name when output to the log, and achieve controlled overwriting of data outside the allocated buffer. Then overflow can be used to overwrite the nss_module structure in the nss library to create a shared library and load it as root.
The problem has been occurring since the glibc 2.37 release, published in August 2022, and includes a change that handles the situation of trying to write too large messages. The patch that introduces the vulnerability was backported to the glibc 2.36 branch and distribution packages with older versions of glibc, as this patch addressed the vulnerability CVE-2022-39046, which leads to a data leak from the heap. It turned out that fixing a non-dangerous vulnerability led to a critical problem. It is noteworthy that a similar vulnerability in the vsyslog() function from the libc 5.4.3 library was reported back in 1997.
The vulnerability was confirmed in Debian 12/13, Ubuntu 23.04 / 23.10 and Fedora 37-39. The work of the exploit for obtaining root rights by an unprivileged user is demonstrated in the fully updated Fedora 38 environment with all protection mechanisms enabled in the default configuration. The vulnerability can only be exploited locally, as it requires transmission of more than 1024 bytes via the argv[0] parameter or the ident argument in the openlog () function.
The vulnerability fix was included a few hours ago in the Glibc codebase and will be included in tomorrow's Glibc 2.39 update, along with two other vulnerabilities (CVE-2023-6779, CVE-2023-6780) that also affect the __vsyslog_internal() code and cause buffer overflows. Moreover, Qualys warned about detecting a buffer overflow in the implementation of the qsort () function, which was not classified by the Glibc developers as a vulnerability, since exploitation implies using an atypical comparison function that returns the difference of the compared parameters as an argument when calling qsort.
You can test the vulnerability of the system with the following command:
Code:
$ (exec -a "`printf '%0128000x' 1`" /usr/bin/su < /dev/null)
