If LD_LIBRARY_PATH
is preserved by sudo, then it’s possible to use a malicious dynamic library to gain root access. Preserved environment variables are listed by “sudo -l”.
Use ldd to see what libraries a program is already pulling in, and then name your malicious library after one of these. Then run sudo LD_LIBRARY_PATH=/path/to/malicious/library program-runnable-with-nopasswd
to trick the program into loading your malicious library instead of the legitimate system library.
While the same code as LD_PRELOAD can be used as a starting point for an LD_LIBRARY_PATH
exploit, things get trickier because some libraries are required by others, loaded at different times, or have functions (symbols) that are loaded but not used right away. So some amount of trial-and-error, both in the naming of the malicious library and in what functions are defined within it, may be required.
Not every UNIX-like system calls their library path
LD_LIBRARY_PATH
!