• Look for ambiguous Paths
• Plant dylibs
• Gain priv esc or persistence

• Pretty much covers this
• https://www.contextis.com/en/blog/linux-privilege-escalation-via-dynamically-linked-shared-object-library

• ldd tool

ldd /opt/binary

• Otool
  • Mac

otool -L binary

objdump -x binary | grep RPATH

• Check file perms on the location
• Can you write here?

• Any directories specified by rpath-link options (directories specified by rpath-link options are only effective at link time)
• Any directories specified by –rpath options (directories specified by rpath options are included in the executable and used at runtime)
• LD_RUN_PATH
• LD_LIBRARY_PATH
• Directories in the DT_RUNPATH or DT_RPATH. (DT_RPATH entries are ignored if DT_RUNPATH entries exist
• /lib and /usr/lib
• Directories within /etc/ld.so.conf

• Does the application use shared libraries?

  • ldd /binary

• Can you modify any of the shared libraries being used?

  • ls -la /binary
  • Add malicious code

• Was the application compiled with RPATH?

  • objdump -x /binary | grep RPATH
  • Do you have permission to write to the specified location?
    • Write malicious binary

• Was the application compiled with any RUNPATH options?

  • objdump -x /binary | grep RUNPATH
  • Can you write here?
    • Write malicious binary

• Do you have permission to write to /lib and /usr/lib

  • ls -la /lib
  • ls -la /usr/lib
  • write malicious binary

• Do you have permission to write to any of the locations in /etc/ld.so.conf?

  • cat /etc/ld.so.conf
    • Write malicious binary

• Are any of the shared libraries missing?

  • ldd /binary | grep "not found"
  • Can you write to anywhere on the search order?
    • ls -la location
    • Store malicious binary

• You would need to wait for the application to be run for the malicious code to execute

  • Check
    • CRON
    • Processes
    • Start up
    • etc.

https://github.com/slimm609/checksec.sh

• Checks properties of a binary
• Includes RPATH and RUNPATH checks