While not nearly commonly seen on Linux systems, library (shared object files on Linux) injections are still a serious threat. On interviewing Jaime Blasco from AT&T’s Alien Labs, I’ve become more aware of how easily some of these attacks are conducted.
In this post, I’ll cover one method of attack and some ways that it can be detected. I’ll also provide some links that will provide more details on both attack methods and detection tools. First, a little background.
Shared library vulnerability
Both DLL and .so files are shared library files that allow code (and sometimes data) to be shared by various processes. Commonly used code might be put into one of these files so that it can be reused rather than rewritten many times over for each process that requires it. This also facilitates management of commonly used code.