Shulou(Shulou.com)06/01 Report--

This article mainly shows you "how to detect library injection on Linux", the content is easy to understand, clear, hope to help you solve doubts, the following let the editor lead you to study and learn "how to detect library injection on Linux" this article.

Shared library vulnerability

DLL and .so files are shared library files that allow code (and sometimes data) to be shared by different processes. Common code can be put into a file so that each process that needs it can be reused instead of being rewritten multiple times. This also facilitates the management of common code.

These shared libraries are often used by Linux processes. The ldd command (showing shared object dependencies) can display its shared libraries for any program file. Here are some examples:

$ldd / bin/date linux-vdso.so.1 (0x00007ffc5f179000) libc.so.6 = > / lib/x86_64-linux-gnu/libc.so.6 (0x00007f02bea15000) / lib64/ld-linux-x86-64.so.2 (0x00007f02bec3a000) $ldd / bin/netstat linux-vdso.so.1 (0x00007ffcb67cd000) libselinux.so.1 = > / lib/x86_64-linux-gnu/libselinux.so.1 (0x00007f45e5d7b000) Libc.so.6 = > / lib/x86_64-linux-gnu/libc.so.6 (0x00007f45e5b90000) libpcre.so.3 = > / lib/x86_64-linux-gnu/libpcre.so.3 (0x00007f45e5b1c000) libdl.so.2 = > / lib/x86_64-linux-gnu/libdl.so.2 (0x00007f45e5b16000) / lib64/ld-linux-x86-64.so.2 (0x00007f45e5dec000) libpthread.so.0 = > / lib/x86_ 64-linux-gnu/libpthread.so.0 (0x00007f45e5af5000)

Linux-vdso.so.1 (which may have different names on some systems) is a file that the kernel automatically maps to the address space of each process. Its job is to find and locate other shared libraries needed by the process.

One way to take advantage of the library loading mechanism is by using the LD_PRELOAD environment variable. As Jaime Blasco explained in his research, "LD_PRELOAD is a very simple and very popular way to load a shared library when a process starts. You can configure this environment variable to the path of the shared library to load the shared library before loading other shared objects."

To show how simple it is, I created an extremely simple shared library and assigned it to my (previously non-existent) LD_PRELOAD environment variable. Then I use the ldd command to see how it affects common Linux commands.

$export LD_PRELOAD=/home/shs/shownum.so$ ldd / bin/date linux-vdso.so.1 (0x00007ffe005ce000) / home/shs/shownum.so (0x00007f1e6b65f000) / lib/x86_64-linux-gnu/libc.so.6 (0x00007f1e6b458000) / lib64/ld-linux-x86-64.so.2 (0x00007f1e6b682000)

Note that simply assigning a new library to LD_PRELOAD affects any program that is running.

By setting the shared libraries specified by LD_PRELOAD to be loaded first (immediately after linux-vdso.so.1), these libraries can greatly change a process. For example, they can redirect system calls to their own resources or make unexpected changes to the way the program runs.

The osquery tool can detect library injection

The osquery tool (available for download at osquery.io) provides a very unique way to view Linux systems. It basically regards the operating system as a high-performance relational database. Then, as you might guess, this means that it can be used to query and generate the SQL table, which provides details such as the following:

A running process

Loaded kernel module

Open web links

A kernel table that provides process information is called process_envs. It provides detailed information about the use of environment variables by various processes. Jaime Blasco provides a fairly complex query that can be used to identify processes using LD_PRELOAD using osquery.

Note that this query fetches data from the process_envs table. Attack ID (T1055) refer to Mitre's explanation of the attack method.

SELECT process_envs.pid as source_process_id, process_envs.key as environment_variable_key, process_envs.value as environment_variable_value, processes.name as source_process, processes.path as file_path, processes.cmdline as source_process_commandline, processes.cwd as current_working_directory, 'T1055' as event_attack_id, 'Process Injection' as event_attack_technique,' Defense Evasion, Privilege Escalation' as event_attack_tactic FROM process_envs join processes USING (pid) WHERE key = 'LD_PRELOAD'

Note that the LD_PRELOAD environment variable is sometimes used legally. For example, it may be used by various security monitoring tools because developers need to troubleshoot, debug, or analyze performance. However, its use is still rare and should be prevented.

It is also worth noting that osquery can be used interactively or run as a daemon for periodic queries. For more information, please refer to the reference at the end of the article.

You can also locate the use of LD_PRELOAD by looking at the user's environment settings. If LD_PRELOAD is used in a user's account, you can use this command to view (assuming that after logging in as an individual):

$env | the above grep PRELOADLD_PRELOAD=/home/username/userlib.so is all the contents of the article "how to detect library injection on Linux". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.