LD_PRELOAD Exploitation - DC9723
Download as ODP, PDF5 likes3,766 views
The document discusses how the Linux dynamic loader and LD_PRELOAD environment variable can be exploited to intercept and modify the behavior of shared library functions at runtime. It provides examples of how this technique could be used to implement a man-in-the-middle attack on OpenSSH authentication, log passwords, and extend the functionality of system programs like 'cat'. While powerful for debugging, this approach also has security disadvantages as it requires access to the executable and works only on exported symbols.
![Exploiting the Linux Dynamic Loader with LD_PRELOAD David Kaplan [email_address] DC9723 – June 2011](https://image.slidesharecdn.com/ldpreloadpresentationdc9723june11final-110625112630-phpapp01/85/LD_PRELOAD-Exploitation-DC9723-1-320.jpg)
LD_PRELOAD Exploitation - DC9723
- 1. Exploiting the Linux Dynamic Loader with LD_PRELOAD David Kaplan [email_address] DC9723 – June 2011
- 2. The Executable and linking format (ELF) } linkers loaders libraries
- 3. Linkers combine compiled code fragments into single memory-loadable executable $ ld obj1.o obj2.o –o linked.o symbol resolution program components reference each other through symbols (ELF .symtab) Relocation adjustment of code/data sections (also performed by the loader)
- 4. Loaders copy code and data into memory memory allocation/mapping relocation Also performed by the linker execve()
- 5. Libraries statically-linked dynamically-linked (shared)* collections of reusable compiled code *historically: a shared library was something else entirely
- 6. Statically-linked libraries code copied into final binary be aware of: cyclic dependencies, multiple symbol definitions $ld obj1.o obj2.o /usr/lib/libname.a CODE my_print() { printf(); } main() { my_print(); } main() { my_print(); } my_print() { printf(); } printf() { vfprintf(); } LIBC STATICALLY LINKED FILESIZE
- 7. Dynamically-linked libraries dynamic loader (ld.so) resolves symbols at exectime Process: - execve() loads executable code into memory
- 8. - control is passed to the dynamic linker (ld.so) which maps shared objects to program address space (resolves symbols)
- 9. - control is then passed to the application can be called from within the application at runtime By linking ld and calling dlopen(), etc. CODE my_print() { printf(); } main() { my_print(); } main() { my_print(); } my_print() { printf(); } printf(); DYNAMICALLY LINKED FILESIZE LIBC
- 10. So what is LD_PRELOAD? environment var queried by dynamic linker on exec allows dynamic linker to prioritize linking defined shared libs $ LD_PRELOAD=“./mylib.so” ./myexec
- 11. Attack enablers OS ‘features’ weak system security good coding practices general_rule: good_for_devs == good_for_hackers ; goto general_rule ;
- 12. Attack advantages easy, effective on unprotected systems code interception code injection program flow manipulation debugging using wrapper functions
- 13. Attack disadvantages } can be protected against requires access to executable requires relevant privileges works on used, imported symbols
- 14. Example 1 – Hello World $ nm -D make_goodbye.so 000000000000069c T printf U stdout U vfprintf $ nm -D hello w __gmon_start__ U __libc_start_main U printf Undefined symbol Symbol exists in .text
- 15. Example 1 – Hello World – cont. *in practice it works slightly differently – this is just a conceptual explanation NORMAL SYMBOL RESOLUTION: LOADER HELLO printf() ?? DYNAMIC LINKER LIBC.SO Hello World! REDIRECTED SYMBOL RESOLUTION: LOADER HELLO printf() ?? DYNAMIC LINKER GOODBYE.SO Goodbye World! LIBC.SO fprintf() ??
- 16. Example 2 – OpenSSH MITM dynamically links openssl checks public key against known_hosts with BN_cmp() BN_cmp() must pass (== 0) for iterations 3 and 5
- 17. Example 3 – OpenSSH password logger catch write() w/ string literal “’s password” log read()s until ‘\n’
- 18. Example 4 – Extending ‘cat’ functionality intercept __snprintf_check() to add to usage() wrap getopt_long() to catch new command line option catch write(), vfork() and launch browser for each link
- 19. provides reusable library of function sigs (sorry about the code quality!) ./preloader reduces repetitive tasks tool that does *some* of the work for you http://www.github.com/2of1/preloader
- 20. Reverse Engineering with LD_PRELOAD (Itzik Kotler) http://securityvulns.com/articles/reveng/ Linkers and Loaders (Sandeep Grover) http://www.linuxjournal.com/article/6463 Dynamic Linker (Wikipedia) http://en.wikipedia.org/wiki/Dynamic_linker man ld.so Further reading
- 21. “ Know your enemy and know yourself and you can fight a thousand battles without disaster” Sun Wu Tzu, The Art of War “ There is no right and wrong. There’s only fun and boring” The Plague, Hackers 1995 Final thoughts