frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Open in hackernews

Ld_preload, the Invisible Key Theft

https://bomfather.dev/blog/ld-preload-the-invisible-key-theft/
29•nathan_naveen•2h ago

Comments

eqvinox•1h ago
This is not a vulnerability. If someone can modify your environment variables or /etc/ld.so.conf, your system is already wholly, entirely and utterly compromised.
nathan_naveen•1h ago
Hey, we agree that if someone can modify your env variables you have got problems ;) But, if you have valuable data on your system then you should have defense in depth so that your most important stuff (secrets, etc...) isn't stolen.
eqvinox•47m ago
Sure, but that's not what your article is arguing. You literally have a heading "The Vulnerability". It's not a vulnerability, it's not an attack, it's just one option of what you can do after you're done exploiting your way into a system. Not even sure it's a particularly good option; modifying environment variables will mean that at least the target user is fully compromised. In turn, that will mean in pretty much all cases that the attacker is able to just transfer out any and all private keys. And note LD_PRELOAD is only applied when you start something; restarting a long-running process might in itself raise alarm bells or require re-unlocking keys. Much easier to directly take the keys from running process memory.
stuaxo•1h ago
How is someone supposed to deploy this ?
FeepingCreature•1h ago
First, have remote shell.
TheAdamist•1h ago
LD_AUDIT is even more powerful and fun to use. And far lesser known.
nathan_naveen•1h ago
Thank you! We will take a look!
Mattwmaster58•1h ago
This doesn't seem like a realistic threat to me. Under what circumstances are you not pretty much completely pwned if an attacker could start their own processes, or have root access?

This sort of seems like saying IF an attacker gets the keys to your car, they could install a module that would allow them to come back and steal the car with a push of a button. Technically true, but they could also just steal the car straight up, or do any number of other things.

webstrand•1h ago
Yeah if you have the level of access necessary to inject a LD_PRELOAD, you have the level of access necessary to set PATH so an entirely different binary loads, too.
nathan_naveen•38m ago
Question... if you change the path wouldn't a decent security tool be able to identify that it is a different executable? Also, if you are allowing an executable to access a directory then the executable should also be protected. Thoughts?
blibble•27m ago
there aren't any decent security tools

it's snake oil

assume each and every VM is born compromised and deal with them accordingly

richm44•19m ago
If that same tool is unable to spot LD_PRELOAD in use then I'd suggest getting a new one. :-)
csande17•1h ago
OP seems to be a startup selling an eBPF script that tries to identify whether individual executables running as your user "should" or "should not" do particular things. (Like a Windows antivirus program, but for build servers and AI training.) I guess in that context it's good to remember that LD_PRELOAD exists, so it's easy to make any action appear to originate from any executable.
formerly_proven•1h ago
> run EDR

> does not detect initial compromise

> does not detect persistent so

> does not detect preloads

> does not detect injection

> does not detect exfiltration

What does the D stand for again? Besides the entire threat vector and article being an unsurprising non-story. Yes, if you can modify the execution environment you can modify the executed code.

ilc•57m ago
What you take if you use a bad one?
danielhlockard•1h ago
dear lord. This is not new. ld_preload to do things like this existed even back when I was doing Cyber Defense Competitions at Iowa State back in '07
bpt3•1h ago
Yep. Every few months, someone learns about this, thinks they've made a new discovery, and writes a breathless blog post imagining the possibilities of what can be done with it.

Spoiler alert, you almost certainly have been completely pwned already if someone can set LD_PRELOAD or modify /etc/ld.so.conf.

Retr0id•39m ago
LD_PRELOAD "works as designed" but people who don't know about it often make false assumptions, leading to exploitable bugs.

One such assumption is "if /bin/foo is a trustworthy executable then any process with /proc/pid/exe pointing to /bin/foo is trustworthy"

nathan_naveen•36m ago
Exactly, that is our thought process!

We know that this isn't anything revolutionary, but most people assume that this kind of thing can't happen, so we wrote a blog post about it.

jasongill•1h ago
I remember using LD_PRELOAD for reverse engineering Linux binary-only apps in the late 90's so it's likely from much earlier than that, always has been a neat trick
lokar•23m ago
It was also a way to defeat license managers for UNIX software back in the day…
nathan_naveen•1h ago
Hey, the author here... Our blog post is mainly talking about how the vulnerability works, but even if there is an insider threat (or reverse shell or any kind of attack) there are ways to stop this. We at Bomfather have a solution for this (we aren't trying to plug ourselves here), but any good eBPF solution should be able to protect this.
Retr0id•1h ago
I'm not familiar with the state-of-the-art in Linux EDRs but I assumed checking LD_PRELOAD was table stakes.
nathan_naveen•1h ago
Yeah... we thought the same thing but we checked a couple other EDRs and saw that a few of them don't do this. If you guys know some EDRs that do this, let us know :)
bpt3•1h ago
What did you check? Nearly every EDR product does this to my knowledge.
nathan_naveen•59m ago
KubeArmor...
gabriel•35m ago
I would back it up a little bit and say that any EDR thing would be capable of observing the source of the functions that a program will run and detect outliers. It's a great program to write, everyone should give it a try! It can also be unexpectedly complicated to get all of the corner cases right and you'll drive yourself mad once you try to think of the ways your detection method can be circumvented.
blibble•1h ago
there is no additional threat here beyond what you can already do as the user

an attacker that is already your user can do far worse than hook into libc

nathan_naveen•57m ago
The idea for this blog post was that if someone becomes a user in your system but you have a basic security policy in place how can they circumvent it. That is how we came across LD_PRELOAD.
SamuelNickel•18m ago
This is Not a vulnerability. It is expected behavior. If someone can Set Environment variables or write to /etc/ it is already game over
richm44•7m ago
Here's an example I made a while ago of how easy it is to use LD_PRELOAD to hook things and change file contents etc. https://github.com/richmoore/reciprocity

Michael Jackson: The Collection of the King of Pop

https://archive.org/details/kopauctionamusements
1•handfuloflight•1m ago•0 comments

Plucked, Bowed, and Hammered: At the Armory, 11,000 Strings

https://www.vulture.com/article/11000-strings-armory-haas-music-review.html
1•PaulHoule•1m ago•0 comments

Rogue-AI agents testing framework

https://github.com/qualifire-dev/rogue
1•lirantal•1m ago•0 comments

Ask HN: Best way to create a searchable knowledge base?

1•aljgz•2m ago•0 comments

Mysterious Intrigue Around an x86 "Corporate Entity Other Than Intel/AMD"

https://www.phoronix.com/news/x86-Opcodes-Not-AMD-Or-Intel
1•unsnap_biceps•2m ago•0 comments

"I have sought to slaughter as few civilians as possible."

https://doomsdaymachines.net/p/i-have-sought-to-slaughter-as-few
1•chmaynard•3m ago•0 comments

Show HN: Claude Code vs. Codex Reddit Sentiment Analysis Dashboard (Open-Source)

https://claude-vs-codex-dashboard.vercel.app/
1•waprin•3m ago•0 comments

AI of the future will be in the form of small, specialized models

https://norwegianscitechnews.com/2025/10/forget-chatgpt-ai-of-the-future-will-bring-major-small-c...
1•giuliomagnifico•3m ago•0 comments

NASA's HLS Data Now Available on Microsoft's Planetary Computer

https://devblogs.microsoft.com/azuregov/nasa-hls-on-mpc/
1•uticus•3m ago•0 comments

Show HN: How Useless Are You? A brutally honest skills check

https://www.howuselessareyou.com
3•mraspuzzi•4m ago•0 comments

AdGuard rolls out in Japanese schools to tackle distractions and improve safety

https://adguard.com/en/blog/adguard-japan-school-safety.html
1•frou_dh•4m ago•0 comments

Depth over Breadth

https://frontierai.substack.com/p/depth-over-breadth
3•cgwu•6m ago•0 comments

Walmart on ChatGPT, Walmart (and Amazon) Motivations, Spotify Podcasts On

https://stratechery.com/2025/walmart-on-chatgpt-walmart-and-amazon-motivations-spotify-podcasts-o...
1•feross•6m ago•0 comments

All Roads Lead To Porn – A personal ramble about ChatGPT erotica

https://yionvisual.substack.com/p/all-roads-lead-to-porn
2•ieuanking•8m ago•1 comments

Be Careful What You Tell Your AI Chatbot

https://hai.stanford.edu/news/be-careful-what-you-tell-your-ai-chatbot
1•rntn•8m ago•0 comments

Auction house Sotheby's finds its data on the block after cyberattack

https://www.theregister.com/2025/10/16/sothebys_breach/
1•Bender•8m ago•0 comments

A man building a starter kit for civilization Review

https://www.technologyreview.com/2025/10/16/1125146/civilization-start-kit-open-source-essential-...
1•colinprince•9m ago•0 comments

Aisle Emerges from Stealth with AI Reasoning System Remediate Vulnerabilities

https://www.securityweek.com/aisle-emerges-from-stealth-with-ai-based-reasoning-system-that-remed...
1•Bender•10m ago•1 comments

Nothing Is Securities Fraud?

https://www.bloomberg.com/opinion/newsletters/2025-10-16/nothing-is-securities-fraud
1•ioblomov•10m ago•1 comments

Cisco Routers Hacked for Rootkit Deployment

https://www.securityweek.com/cisco-routers-hacked-for-rootkit-deployment/
1•Bender•11m ago•0 comments

Blessed.rs/Crates – Recommended Crate Directory

https://blessed.rs/crates
1•chasingbrains•11m ago•0 comments

Ask HN: Do Bexio users struggle with time tracking integration?

1•Original-Tech•13m ago•0 comments

A Tale of Two Car Design Philosophies

https://hackaday.com/2025/10/16/a-tale-of-two-car-design-philosophies/
1•M95D•13m ago•0 comments

Nvidia DGX Spark is here, 128 GB of memory, run 200B parameter models locally

https://www.nvidia.com/en-eu/products/workstations/dgx-spark/
1•gvv•13m ago•2 comments

On The Sims 2, pregnant women can't clean litter boxes

https://www.instagram.com/reel/DOHD9QmiPzN/
1•alexandrehtrb•13m ago•0 comments

Ex-dictator, jobless, lives off his mom (2002)

https://www.seattlepi.com/national/article/ex-dictator-jobless-lives-off-his-mom-1092058.php
1•pr337h4m•14m ago•0 comments

Ron Conway Resigns from Salesforce Foundation over Benioff Comments

https://www.nytimes.com/2025/10/16/us/salesforce-resign-benioff-ron-conway.html
1•coloneltcb•16m ago•0 comments

3I/Atlas: Visitor from the Void [video]

https://www.youtube.com/watch?v=iRt7XPnwyco
1•ahmetcadirci25•16m ago•0 comments

A piece of history: Heathkit H-10 Paper Tape Reader [pdf]

http://cini.classiccmp.org/pdf/InterfaceAge/Heath%20H10%20(0978).pdf
2•drex91on•16m ago•0 comments

Why Stories Make You Smarter Than Self-Help Books

https://www.joanwestenberg.com/p/why-stories-make-you-smarter-than-self-help-books
1•lhoff•17m ago•0 comments