Dynamic Linker Hijacking

Adversaries may execute their won malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During the execution preparation phase of a program, the dynamic linker loads specified absolute paths of shared libraries from environment variables and files, such as LD_PRELOAD on Linux or DYLD_INSERT_LIBRARIES on macOS. Libraries specified in environment variables are loaded first, taking precedence over system libraries with the same function name. These variables are often used by developers to debug binaries without needing to recompile, de-conflict mapped symbols, and implement custom functions without changing the original library

On Linux, adversaries may set LD_PRELOAD to point to malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary's malicious code upon execution of the victim program. LD_PRELOAD can be set via the environment variable or /etc/ld.so.preload file.

In this example I've built a small static library that when loaded it just prints out "Hello World" you must be careful with these libraries to not consume resources as this will crash the application or make the OS unusable depending on what you've hijacked.

#define _GNU_SOURCE
#include <stdio.h>
 
__attribute__((constructor)) void run_hello(void) {
    printf("Hello World\n");
}

We proceed to compile this gcc -shared -fPIC -o /tmp/hello.so hello.c and we can test the preload with the following

But we can also set the environment variable to utilize this library

You will notice that almost every binary that utilizes shared libraries will load our malicious one

Now we can use the ld.so.preload file but this is a system shared object and will need root access, using this file is straightforward we create our so file then move it to the /etc/ld.so.preload location and when any application is running it will always use this one first.

I've encountered errors since the library can't be preloaded, but this is what will happen with a correct functioning one, every application will try to load it with root level access.

Reference:

https://www.getambassador.io/blog/code-injection-on-linux-and-macos

https://www.baeldung.com/linux/ld_preload-trick-what-is