ericherman / ld-preload-evil Goto Github PK

This code is like a workbook for exploring how LD_PRELOAD can be used to
change the behavior of programs.


CONCLUSIONS
-----------
So far, I have learned that it is trivial to do "small evil" things,
like changing behavior, but I do not yet see how to do "big evil"
things, such as privilege escalation.

Experimentally, I see two kinds of prevention (PRELOAD ignored and SUID
ignored); I do not yet have a very full picture of how this is enforced
or where it is enforced.

My version of "man 8 ld-linix" says:

	For set-user-ID/set-group-ID ELF  binaries, preload
	pathnames containing slashes are ignored, and libraries in
	the standard search directories are loaded only if the
	set-user-ID permission bit is enabled on the library file.

In glibc/elf/rtld.c we see:
1484       /* The LD_PRELOAD environment variable gives list of libraries
1485          separated by white space or colons that are loaded before the
1486          executable's dependencies and prepended to the global scope
1487          list.  If the binary is running setuid all elements
1488          containing a '/' are ignored since it is insecure.  */

To me, LD_PRELOAD appears to be a great tool for legitimate modifying
and instrumenting behavior, and does not seem to greatly widen risk of a
system.


COMPILING
---------
At this time, the Makefile only supports linux.
On linux systems, just type "make".

~/src/ld-preload-evil$ make

This will build "lib.so.1.0" and "main"


EXAMPLE USAGE
-------------
eric@titan:~/src/ld-preload-evil$ ./main
foobar
eric@titan:~/src/ld-preload-evil$ LD_PRELOAD=./lib.so.1 ./main
Doing evil stuff as UID: 1000, GID: 1000!
foobar
eric@titan:~/src/ld-preload-evil$


NO ESCALATION FROM A SUID BINARY
--------------------------------
# on one system, it seems that LD_PRELOAD is not used with SUID root binaries:
eric@titan:~/src/ld-preload-evil$ sudo chown root:root ./main
eric@titan:~/src/ld-preload-evil$ sudo chmod 6777 ./main
eric@titan:~/src/ld-preload-evil$ ls -l main
-rwsrwsrwx 1 root root 11110 Oct  1 12:15 main
eric@titan:~/src/ld-preload-evil$ ./main
foobar
eric@titan:~/src/ld-preload-evil$ LD_PRELOAD=./lib.so.1 ./main
foobar
eric@titan:~/src/ld-preload-evil$

# on another, it seems as if using LD_PRELOAD removes the SUIDness:
eric@hinney:~/src/ld-preload-evil$ sudo chown root:root ./main
eric@hinney:~/src/ld-preload-evil$ sudo chmod 6777 ./main
eric@hinney:~/src/ld-preload-evil$ ls -l main
-rwsrwsrwx 1 root root 11110 Oct  1 13:21 main
eric@hinney:~/src/ld-preload-evil$ LD_PRELOAD=./lib.so.1 ./main
Doing evil stuff as UID: 1000, GID: 1000!
foobar
eric@hinney:~/src/ld-preload-evil$


CONTRIBUTING
------------
Patches welcome; pull-requests welcome.

Especially if you have clear demonstation of a way in which LD_PRELOAD can be
used by a non-root user to do something which would scare a sysadmin.


LICENSE
-------
This is free software: you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free
Software Foundation, either version 3 of the License, or (at your
option) any later version.