Exploiting LD_LIBRARY_PATH

author: Nathan Acks
date: 2021-10-31

If LD_LIBRARY_PATH is preserved by sudo, then it’s possible to use a malicious dynamic library to gain root access. Preserved environment variables are listed by sudo -l.

Use ldd to see what libraries a program is already pulling in, and then name your malicious library after one of these. Then run sudo LD_LIBRARY_PATH=/path/to/malicious/library program-runnable-with-nopasswd to trick the program into loading your malicious library instead of the legitimate system library.

While the same code as LD_PRELOAD can be used as a starting point for an LD_LIBRARY_PATH exploit, things get trickier because some libraries are required by others, loaded at different times, or have functions (symbols) that are loaded but not used right away. So some amount of trial-and-error, both in the naming of the malicious library and in what functions are defined within it, may be required.

NOTE that not every UNIX-like system calls their library path LD_LIBRARY_PATH!