Ld_preload, the Invisible Key Theft
a day ago
- #Solana
- #LD_PRELOAD
- #Security
- LD_PRELOAD is an environment variable that allows loading a shared library before a program starts, enabling interception of file operations.
- This vulnerability affects applications loading credentials from files, not just Solana, posing an insider threat risk.
- Attackers can hook into file operations like close() to copy sensitive files (e.g., Solana keypairs) without detection.
- Two methods: LD_PRELOAD (no root needed) and /etc/ld.so.preload (requires root but affects all processes).
- Containers are vulnerable as the attack operates within their namespace, bypassing isolation.
- The attack is simple, leveraging legitimate features like /proc/self/fd/{fd} to exfiltrate data silently.
- EDR solutions may miss this as file access by the validator appears normal.