Looking into the Looney Tunable Linux Privesc CVE-2023-4911

00:00 - Introduction talking about what the Looney Tunable exploit is and my thoughts on the severity of the exploit
02:30 - Start talking about how the vulnerability works
04:00 - The POC String to identify if a box is vulnerable, it doesn't actually exploit but quickly identifies if a vulnerable glibc is installed
05:45 - Important parts I wanted to point out in the technical writeup.
09:00 - Downloading a good POC written in python, then glancing over the code to make sure there isn't anything malicious
13:37 - Analyzing the exit shellcode manually in Ghidra to see it just exits with 0x66
18:50 - Analyzing the main shellcode in Ghidra, showing it does a lot more
21:50 - Putting the Shellcode into an elf binary, so we can analyze it with gdb
29:50 - Logging into HTB's TwoMillion machine to run this exploit
31:45 - Showing how to get the magic numbers incase your target is not supported. Disable ASLR then running the exploit
34:50 - Looking at how Elastic got lucky and detected this exploit with their default ruleset
36:00 - Looking at how CrowdSec detects it
36:55 - Looking at the more recent Elastic rules to see the more thorough check for this exploit
40:40 - Showing all the segfaults in /var/log/kern.log

Highlighted Links:
Qualsys Blog Post: https://blog.qualys.com/vulnerabiliti...
Qualsys Tech Details: https://www.qualys.com/2023/10/03/cve...
Exploit POC Tweet:   / 1710634253518582047  
Elastic Initial Detection Tweet:   / 1709866613292282101  
Crowdsec Detection Tweet:   / 1709959368467157244