One of the scans will parse ELF files and find the DT_RUNPATH and DT_RPATH. Then if it finds a path we check to see if we have to write access at that location so that we can inject a malicious shared object. From testing I found the following edge case.
I understand that $ORIGIN gets replaced with the binaries' current working directory. But what on earth does "." do? I've looked through loads of documentation and cannot find anything. I also looked at ld.so source code but I did not really understand it.
One of the scans will parse ELF files and find the
DT_RUNPATH
andDT_RPATH
. Then if it finds a path we check to see if we have to write access at that location so that we can inject a malicious shared object. From testing I found the following edge case.This gets split into to two values.
I understand that
$ORIGIN
gets replaced with the binaries' current working directory. But what on earth does "." do? I've looked through loads of documentation and cannot find anything. I also looked at ld.so source code but I did not really understand it.