Overview
Linux binaries load shared libraries (.so) at runtime. If you can control where libraries are loaded from, you can inject malicious code that runs with the binary’s privileges.
Library Search Order
Writable /etc/ld.so.conf.d/
/tmp/evil/ matching a library name used by a root process.
Writable Library Directories
Check if any configured library path is writable:RPATH / RUNPATH Injection
Check Binary for RPATH/RUNPATH
Example Output
/home/user/lib is writable:
Find Libraries the Binary Loads
Create Malicious Library
Missing Shared Library
If a SUID binary or root service tries to load a library that doesn’t exist:Find Missing Libraries
Example
ld.so.preload
/etc/ld.so.preload is loaded before all other libraries for every binary.
Check Permissions
evil.so:
ldconfig Abuse
If you can runldconfig (directly or via sudo):
/etc/ld.so.conf.d/ or placing library in existing path, ldconfig rebuilds the cache:
Quick Reference
| Scenario | Technique |
|---|---|
Writable /etc/ld.so.conf.d/ | Add custom lib path + ldconfig |
| Writable RPATH/RUNPATH dir | Drop malicious .so |
| Missing library (not found) | Create .so in search path |
Writable /etc/ld.so.preload | Preload malicious .so globally |
| Writable library directory | Replace existing .so |