LD_PRELOAD, LD_LIBRARY_PATH Overwriting
LD_PRELOAD and LD_LIBRARY_PATH might be vulnerable to privilege escalation (PrivEsc).
Investigation
Check sudo commands.
The below is the output example.
If we find the sudo command keeps LD_PRELOAD environment, we can overwrite this variable to load our custome shared object and escalate the privileges.
Also, we can replace the LD_PRELOAD with LD_LIBRARY_PATH.
By the way, to list shared libraries required by the executable, use ldd
command.
Exploitation
First off, create exploit.c under /tmp .
The "constructor" attribute is a special type of function attribute in GCC. It tells the compiler to automatically call the function before the main function.
Now compile the c program to shared object.
We can execute command with setting the shared library to LD_PRELOAD variable then spawn the root shell.
Last updated