ldconfig
AlessandroZ opened this issue · 2 comments
AlessandroZ commented
If ldconfig binary is suid, it would be possible to change library path loaded by other binaries in order to hijack libs.
I don't know how to create a good example to add it to the list but I think it should be added.
Here are 2 different examples:
- https://www.boiteaklou.fr/Abusing-Shared-Libraries.html#3-setuid-bit-on-ldconfig
- https://0xrick.github.io/hack-the-box/dab/#hijacking-dynamically-linked-shared-object-library-and-getting-root
Thanks
cyrus-and commented
Alright, I finally managed to look into this. I remember that HTB box and yes it's difficult to come up with a good example so I kept the basic technique simple and added a mini-PoC. Feel free to tell us what you think.
AlessandroZ commented
Perfect. Thanks again ;)