пятница, 29 июля 2022 г.

dirty secrets of ld.so

As you can know you can set library path under linux with several ways:

  • envvar LD_LIBRARY_PATH, but it can be removed somewhere inside program so /proc/pid/environ is useless (as usually they expose via official API only useless trash but carefully hiding any really important things)
  • via option --library-path to ld.so - like /lib64/ld-linux-x86-64.so.2 --library-path path someprogram Again command line can be patched
  • via /etc/ld.so.conf - this file also can be patched after your program was launched
So good question is "is there some trusted source to see what library path was installed for some running program?"

Yes, this is ld,so itself - because it uses this data while dynamically loading some modules, So long story short: value from --library-path & LD_LIBRARY_PATH stored in variable library_path and whole directory set in rtld_search_dirs
Bad news - they are not exported and even worse - they are hard to find even using disassembler
for example rtld_search_dirs has xrefs from
  • open_path
  • _dl_init_paths
  • _dl_map_object
  • _dl_rtld_di_serinfo
and only last one is exported symbol

Anyway I wrote PoC to get offsets to this internal vars, like

LD_LIBRARY_PATH=~redp:/fake/tmp ./ldso /usr/lib/x86_64-linux-gnu/ld-2.31.so
library_path: 0x2d540
rtld_search_dirs: 0x2d840
base 7FC0E7D5B000
0x7ffd179a5339 /home/redp:/fake/tmp
0x7fc0e7d8aca0
system search path  /lib/x86_64-linux-gnu/
system search path  /usr/lib/x86_64-linux-gnu/
system search path  /lib/
system search path  /usr/lib/

Комментариев нет:

Отправить комментарий