Full Report
A tool for bypassing TLS verification on Linux. This makes intercepting clients much easier.
Analysis Summary
# Tool/Technique: tls-preloader (TLS NoVerify)
## Overview
**tls-preloader** is a specialized security tool designed to bypass TLS certificate validation on Linux-based systems. By utilizing the `LD_PRELOAD` environment variable, the tool intercepts calls to standard cryptographic libraries and forces them to return a "success" status during certificate verification. This facilitates Man-in-the-Middle (MitM) attacks and traffic analysis on applications—particularly embedded and industrial (OT) systems—that would otherwise reject non-trusted security certificates.
## Technical Details
- **Type:** Tool (Security Research / Pentesting)
- **Platform:** Linux (glibc and musl libc environments, including embedded systems)
- **Capabilities:** Universal TLS certificate bypass for multiple crypto libraries.
- **First Seen:** August 17, 2025 (Article Date)
## MITRE ATT&CK Mapping
- **[TA0006 - Credential Access]**
- **[T1557 - Adversary-in-the-Middle]**
- **[TA0005 - Defense Evasion]**
- **[T1574.006 - Hijack Execution Flow: LD_PRELOAD]**
- **[TA0010 - Exfiltration]**
- **[T1020 - Automated Exfiltration]** (Facilitated by clearing the path for traffic interception)
## Functionality
### Core Capabilities
- **Library Interposition:** Uses the Linux dynamic linker (`ld.so`) to load a malicious/modified library (`libtlsnoverify.so`) before standard system libraries.
- **Multi-Library Support:** Provides a single interface to bypass validation across multiple TLS implementations, including:
- OpenSSL (e.g., intercepting `X509_verify_cert`)
- GnuTLS
- NSS (Network Security Services)
- mbedTLS
- wolfSSL
- **Symbol Hijacking:** Exploits the "first match wins" rule of symbol resolution to replace legitimate verification functions with dummy functions that always return valid.
### Advanced Features
- **Broad Compatibility:** Capable of running in restricted environments such as `musl libc` user spaces where traditional tools like Frida may fail.
- **Library Discovery:** Encourages the use of `LD_DEBUG=bindings` to identify target crypto functions in proprietary or non-standard binaries.
## Indicators of Compromise
- **File Hashes:** *(Note: Specific library hashes vary by compilation)*
- **File Names:**
- `libtlsnoverify.so`
- `tls-preloader`
- **Registry Keys:** N/A (Linux-based)
- **Network Indicators:**
- Traffic directed to interception proxies (e.g., Burp Suite, mitmproxy) using certificates not signed by a trusted CA.
- **Behavioral Indicators:**
- Presence of the `LD_PRELOAD` environment variable in process environments pointing to unknown `.so` files.
- Unexpected execution of `LD_DEBUG` for symbol mapping during reconnaissance phases.
## Associated Threat Actors
- **Security Researchers & OED/ICS Pentesters:** Primarily used for auditing embedded devices and industrial controllers.
- **Adversaries:** Potentially used by actors targeting Linux servers or IoT devices to facilitate data exfiltration from TLS-secured applications.
## Detection Methods
- **Behavioral Detection:** Monitor for the execution of binaries with the `LD_PRELOAD` environment variable set, especially when pointing to files in `/tmp` or other world-writable directories.
- **System Auditing:** Use `auditd` to track changes to environment variables or the loading of shared objects from unusual paths.
- **Memory Analysis:** Inspect the maps file of a running process (`/proc/[pid]/maps`) to identify unexpected shared libraries loaded into the address space.
## Mitigation Strategies
- **Binary Hardening:** Statically link sensitive cryptographic libraries to prevent `LD_PRELOAD` interception.
- **Platform Integrity:** Use `Secure Boot` and signed kernels to ensure system integrity.
- **Restricting Privileges:** Disable the ability to set `LD_PRELOAD` for sensitive applications or use the `setuid` bit (which causes the linker to ignore `LD_PRELOAD` for security reasons).
- **Environment Monitoring:** Implement EDR policies to alert on non-standard dynamic library loading.
## Related Tools/Techniques
- **Frida:** Dynamic instrumentation toolkit (Alternative).
- **SSLsplit / mitmproxy:** Tools often used in conjunction with this bypass to analyze traffic.
- **Bettercap:** Network attack framework.
- **Binary Patching:** The manual alternative to using this tool.