$30 off During Our Annual Pro Sale. View Details »

Whitelisting LD_PRELOAD For Fun and No Profit

Tony M Lambert
February 01, 2020
Programming
0
270

Whitelisting LD_PRELOAD For Fun and No Profit

Sometimes bolting a security solution on the side of technology just doesn’t work as well as built-in protection. One example of this on Linux systems is libpreloadvaccine, a whitelisting solution I built that aimed, and failed, to provide foolproof protection against abuse of LD_PRELOAD process injection. This talk will cover how adversaries use LD_PRELOAD, how its built-in audit system works, and how the audit system can be leveraged for whitelisting. We’ll also examine design and implementation considerations for whitelisting, closing the talk by showing how checks built into the dynamic linker would be much more effective than a solution thrown on top.

Tony M Lambert

February 01, 2020
Tweet

More Decks by Tony M Lambert

See All by Tony M Lambert
The Wild World of macOS Installers
forensicitguy
0
23
Alertable Techniques for Linux using MITRE ATT&CK
forensicitguy
1
2k
Spotting Lateral Movement - BSides Augusta 2019
forensicitguy
1
870
Intelligence Driven Testing with Atomic Red Team
forensicitguy
2
340
Spotting Lateral Movement with Endpoint Data
forensicitguy
2
560

Other Decks in Programming

See All in Programming
第42回ロボティクス勉強会:実環境を手軽にシミュレータ環境に持ってくるpointcloud2gazebo
atinfinity
0
820
SONY NEWS NetBSD移植作業とNWS-3260展示 / KOF2023
tsutsui
0
440
OSBT: OpenID Connect Scenario-Based Tester – CODE BLUE 2023
melonattacker
0
210
クソアプリを作ってみた💩 / kusojaku
uhooi
0
160
アクセシビリティを理解するとフロントエンドのテストが楽になる!
nano72mkn
1
1.7k
OpenTelemetry の Trace を中心としたパフォーマンス改善
rmatsuoka
0
410
The Secret Ingredient: How to Understand and Resolve Just about Any Flaky Test
aridlehoover
PRO
1
180
JSConfjp2023 Storybook駆動開発の再現性と効率化
kinocoboy2
1
1.9k
Next.js App Router での MPA フロントエンド刷新
mugi_uno
25
8.3k
BigQuery のデータ品質やデータ活用を高める Dataplex 等の活用
mot_techtalk
4
610
從零開始打造可觀測性平台
blueswen
3
1.4k
Scala Left Fold Parallelisation - Three Approaches
philipschwarz
PRO
0
240

Featured

See All Featured
Testing 201, or: Great Expectations
jmmastey
26
6.1k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
657
120k
How to name files
jennybc
59
87k
Fantastic passwords and where to find them - at NoRuKo
philnash
34
2.2k
KATA
mclloyd
13
11k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
123
31k
jQuery: Nuts, Bolts and Bling
dougneiner
57
6.9k
No one is an island. Learnings from fostering a developers community.
thoeni
14
1.8k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
240
20k
How GitHub Uses GitHub to Build GitHub
holman
467
280k
Why Our Code Smells
bkeepers
PRO
329
56k
StorybookのUI Testing Handbookを読んだ
zakiyama
9
4.1k

Transcript

  1. Whitelisting
    LD_PRELOAD
    For Fun and No Profit

    View Slide

  2. ▪ Professional tinkerer & educator
    ▪ Recovering system administrator
    ▪ Love to make bad guys have bad days
    Tony Lambert
    Detection Engineer/Intel
    Red Canary
    @ForensicITGuy
    id -un

    View Slide

  3. What is LD_PRELOAD and how is it used?
    Examining the rtld-audit subsystem
    Whitelisting LD_PRELOAD
    What worked and what didn’t
    Overview

    View Slide

  4. ▪ glibc & musl environment variable
    ▪ Injects arbitrary SO file into process
    ▪ LD_PRELOAD or /etc/ld.so.preload
    Intro to LD_PRELOAD

    View Slide

  5. rtld.c

    View Slide

  6. Get Started With Env Var
    LS
    SHELL=/bin/bash
    PATH=/long/list/of/folders

    LD_PRELOAD=injected.so
    /proc/PID/env

    View Slide

  7. Make It Persistent
    $ LD_PRELOAD=injected.so ls
    $ export LD_PRELOAD=injected.so
    # echo injected.so > /etc/ld.so.preload
    # echo LD_PRELOAD=injected.so >> /etc/profile

    View Slide

  8. It Can Be Good!
    LS
    libdl.so
    libc.so test-libc.so

    View Slide

  9. Evil Use Cases
    ■ Hooking functions and calls
    ■ Automatic code execution on load

    View Slide

  10. Hooking Functions
    ■ Define function with same name
    ■ Manipulate output and fool user
    ■ libprocesshider

    View Slide

  11. It Can be Very Bad!
    PS
    libc.so
    readdir()
    evil.so
    readdir()
    Intact Listing
    Bash
    Python evil.py
    Tainted Listing
    Bash
    ...

    View Slide

  12. Hooking Example

    View Slide

  13. Execution on Load
    ■ No knowledge of target binary needed
    ■ Code stored in ELF .init section
    ■ Zombie Ant Farm Project

    View Slide

  14. Execution Example

    View Slide

  15. The rtld-audit Subsystem
    ■ Audit API for the dynamic linker
    ■ Write a SO library to implement
    ■ Use with LD_AUDIT variable

    View Slide

  16. Lots of functions
    la_objsearch()
    la_activity()
    la_objopen()
    la_objclose()
    la_preinit()
    la_symbind*()
    la_pltenter()
    la_pltexit()

    View Slide

  17. At First, I Wanted to Log
    la_objsearch()
    la_activity()
    la_objopen()
    la_objclose()
    la_preinit()
    la_symbind*()
    la_pltenter()
    la_pltexit()

    View Slide

  18. I Realized I Could Prevent
    la_objsearch()
    la_activity()
    la_objopen()
    la_objclose()
    la_preinit()
    la_symbind*()
    la_pltenter()
    la_pltexit()

    View Slide

  19. Intercept Before Load
    la_objsearch()
    The dynamic linker invokes this function to inform
    the auditing library that it is about to search for a
    shared object.
    rtld-audit(7) manpage

    View Slide

  20. You Had Me At “return NULL”
    la_objsearch()
    ...returns the pathname that the dynamic linker
    should use... If NULL is returned, then this
    pathname is ignored for further processing.
    rtld-audit(7) manpage

    View Slide

  21. View Slide

  22. Let’s Block Some Preloads!
    ■ Define unauthorized preloads
    ■ Define authorized preloads
    ■ Monitor for unauthorized loads
    ■ Mitigate the loads

    View Slide

  23. Unauthorized Preloads
    ■ Unpredictable preloads
    ■ Unlimited forms of evil
    ■ Block by default

    View Slide

  24. Authorized Preloads
    ■ Unpredictable system configuration
    ■ Wanted ease of administration
    ■ Modeled after cron.allow, hosts.allow

    View Slide

  25. Monitor & Block Preloads
    ■ Intercept module search
    ■ Check the allowed list
    ■ Return NULL if not allowed to block

    View Slide

  26. Enter Libpreloadvaccine!
    ■ LD_AUDIT SO library
    ■ Intercepts and blocks
    ■ Just worksTM
    github.com/ForensicITGuy/libpreloadvaccine
    Logo left intentionally blank.

    View Slide

  27. Simple Logic

    View Slide

  28. Simple Authorized List
    /etc/libpreloadvaccine.allow
    ■ Check the allowed list
    ■ Return NULL if not allowed to block

    View Slide

  29. Simple Deployment
    1. Compile with gcc
    2. Move to folder
    3. Set LD_AUDIT
    export LD_AUDIT=/usr/lib/libpreloadvaccine.so

    View Slide

  30. Success! Sort of...

    View Slide

  31. Catch it in Action!

    View Slide

  32. And Bypass it After!

    View Slide

  33. Lessons Learned

    View Slide

  34. Keep Security Close to Code
    ■ Bolted on solutions don’t always work
    ■ Code inside rtld.c would be harder to bypass
    ■ Attackers with root can have unlimited access

    View Slide

  35. FEEDBACK
    Q & A
    REDCANARY.COM/BLOG
    @REDCANARYCO
    GITHUB.COM/FORENSICITGUY/LIBPRELOADVACCINE
    @FORENSICITGUY

    View Slide