ldd arbitrary code execution
The ldd utility is more vulnerable than you think. It's frequently used by programmers and system administrators to determine the dynamic library dependencies of executables. Sounds pretty innocent, right? Wrong!
In this article I am going to show you how to create an executable that runs arbitrary code if it's examined by ldd. I have also written a social engineering scenario on how you can get your sysadmin to unknowingly hand you his privileges.
I researched this subject thoroughly and found that it's almost completely undocumented. I have no idea how this could have gone unnoticed for such a long time. Here are the only few documents that mention this interesting behavior: 1, 2, 3, 4.
The first command [1] runs ldd on /bin/grep. The output is what we expect -- a list of dynamic libraries that /bin/grep depends on.
The second command [2] sets the LD_TRACE_LOADED_OBJECTS environment variable and seemingly executes /bin/grep (but not quite). Surprisingly the output is the same!
