CVE-2023-4911 Looney Tunables

CVE-2023-4911 Looney Tunables

In 2023, the Qualys team reported a vulnerability with a high criticality that affected a large number of Linux versions. This consisted of an escalation of local privileges by exploiting the buffer overflow in the dynamic loader of the GNU C library (glibc). 

The dynamic loader processing the GLIBC_TUNABLES environment variable causes this overflow, and a malicious agent could use this variable to launch binaries with SUID permissions, allowing it to execute code with elevated privileges. 

To replicate this vulnerability, a testing environment was implemented. First of all, you have to access the vulnerable machine: 

Zerolynx: conexión por SSH a la máquina vulnerable

To carry out the exploitation, you have to understand the POC that is provided. 

The dynamic loader uses the gclib_tunables environment variables, which allow developers to dynamically alter the behavior of the library at runtime. 

In this case, the code looks for any gclib_tunables variables in the environment variables and copies them to a new variable. The vulnerability arises when the variable contains unexpected inputs, since they are not handled safely and causing a buffer overflow. 

As an exploitation requirement, you must have: 

  • Running code with limited privileges on a vulnerable system. 


After verifying that it is vulnerable to Looney Tunables, with the help of the file, which in this case is already inside the machine, we execute it to generate the exploit. 

Zerolynx: Uso del archivo

The next step is to compile the exploit using GCC. The file that needs to be compiled is exp.c  

Zerolynx: malware ejecutable generado

After executing both commands, two files will have been generated, the POC necessary to exploit the vulnerability: 
  • An executable: “exp” 
  • The exploit: “” 

Zerolynx:. ejecución de malware

After executing the file that contained the exploit, after a short period of time you can see how the exploitation has been completed and the escalation of privileges has been successfully carried out. 


This vulnerability in the GNU C library (glibc) highlights the importance of secure management of environment variables on Linux systems. To specifically mitigate this vulnerability, the glibc package must be updated to the new versions available together and it must be verified that the changes have been applied satisfactorily.

Javier Muñoz , Cybersecurity Analyst at Zerolynx and 
Jorge Ezequiel de Francisco , Cybersecurity Analyst at Zerolynx .
return to blog

Leave a comment

Please note that comments must be approved before they are published.