luke-goddard / enumy

Linux post exploitation privilege escalation enumeration
MIT License
253 stars 33 forks source link

How to hand RPATH edge case #17

Closed luke-goddard closed 4 years ago

luke-goddard commented 4 years ago

One of the scans will parse ELF files and find the DT_RUNPATH and DT_RPATH. Then if it finds a path we check to see if we have to write access at that location so that we can inject a malicious shared object. From testing I found the following edge case.

$ readelf -d /opt/minecraft-launcher/minecraft-launcher | grep RPATH
  0x000000000000000f (RPATH)              Library rpath: [.:$ORIGIN/]

This gets split into to two values.

  1. "."
  2. "$ORIGIN/"

I understand that $ORIGIN gets replaced with the binaries' current working directory. But what on earth does "." do? I've looked through loads of documentation and cannot find anything. I also looked at ld.so source code but I did not really understand it.