Member-only story
Would you prefer to watch this as a video instead? See the video I made on Linux sudo LD_PRELOAD privilege escalation!
Background Information
Shared Libraries
Shared libraries are a way that multiple programs can utilize the same set of code. This is extremely important so that each program does not need to re-invent the wheel by making custom functions for every single task they need to complete. Before a program is executed, shared libraries can be loaded into memory. One way of specifying shared libraries to load is by adding them to the LD_PRELOAD environment variable. Files added to LD_PRELOAD will be put into memory and potentially executed prior to the execution of the actual program that was invoked.
/etc/sudoers Environment Variables
By default, only specific environment variables are left unchanged while invoking a command through sudo. These include TERM, PATH, HOME, MAIL, SHELL, LOGNAME, USER, USERNAME, and SUDO_* variables as noted in the sudoers manual. This is due to the env_reset setting being enabled by default.
In order to preserve additional environment variables through sudo calls, variables can be added to env_keep. All variables that are included in env_keep will remain unchanged. If the LD_PRELOAD environment variable is added to env_keep then a user can specify shared libraries to load before the program is executed through sudo. This is dangerous and can lead to privilege escalation.
The Exploit
If you’re looking to find a privilege escalation method and the output of sudo -l shows that LD_PRELOAD is added to env_keep as shown below, you are in luck! The user will need sudo access to run some command, but it does not matter what the command is. A malicious shared object can be created that will allow us to get root on the machine very quickly.
Creating The Payload
A simple shared object file will need to be created and compiled in order to exploit this. Our shared object will be called before the actual command that was called with sudo. In this case, since running sudo /usr/bin/ping will execute the command as root, our shared…
