From owner-freebsd-security Wed Jun 26 21:43: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from suma.adm.s.u-tokyo.ac.jp (suma.adm.s.u-tokyo.ac.jp [133.11.170.11]) by hub.freebsd.org (Postfix) with ESMTP id F319437B405 for ; Wed, 26 Jun 2002 21:43:00 -0700 (PDT) Received: from suma.adm.s.u-tokyo.ac.jp (localhost [127.0.0.1]) by suma.adm.s.u-tokyo.ac.jp (8.9.3/3.7W) with ESMTP id NAA22234 for ; Thu, 27 Jun 2002 13:42:59 +0900 (JST) Received: from localhost (raven.adm.s.u-tokyo.ac.jp [133.11.170.110]) by suma.adm.s.u-tokyo.ac.jp (8.9.3/3.7W) with ESMTP id NAA22210; Thu, 27 Jun 2002 13:42:47 +0900 (JST) Date: Thu, 27 Jun 2002 13:42:46 +0900 (JST) Message-Id: <20020627.134246.66136331.natori@adm.s.u-tokyo.ac.jp> To: kevin.way@overtone.org Cc: brian@hyperreal.org, freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv From: NATORI Shin In-Reply-To: <20020627033441.GA99268@overtone.org> References: <20020626152851.Q310-100000@yez.hyperreal.org> <20020627033441.GA99268@overtone.org> X-Mailer: Mew version 2.2 on Emacs 21.2 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, From: Kevin Way Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv Date: Wed, 26 Jun 2002 23:34:41 -0400 > On Wed, Jun 26, 2002 at 03:29:45PM -0700, Brian Behlendorf wrote: > > Sorry for the newbie question here, but is there a way to programmatically > > determine which binaries on a system static-linked libc? I tried "nm" but > > that needs non-stripped executables... > > quick, dirty, evil, and maybe even effective? > > -Kevin Way > > #!/usr/local/bin/bash > > function dir_walk() > { > for test in $1/* > do > if [ $test = '.' -o $test = '..' ] > then > break > elif [ -d $test ] > then > dir_walk $test > else > do_something $test > fi > done > } > > function do_something() > { > if file $1 | grep 'statically linked' > /dev/null 2>&1 > then > echo "well shit, $1 is statically linked" > fi > } > > dir_walk / Perhaps this one is faster find / -type f -print0 | xargs -0 file | grep -i 'statically linked' FYI: I used the following one-liner to detect vulnerable binaries. This is not very effective, needs a lot of memory, and will not detect vulnerable binaries that have been linked to old libc. Therefore I can not make any guarantee, but at least it seems to work well on my box. find / -type f -print0 | xargs -0 file | grep -i 'statically linked' | perl -e 'while (<>) { my ($file) = split(/:/); if (open(IN, "<$file")) { my $s = join("", ); close(IN); if ($s =~ m%gethostby\*\.gethostanswer: asked for% || $s =~ m/%u\.%u\.%u\.%u\.in-addr\.arpa/ || $s =~ m%in-addr\.arpa% && $s =~ m%/etc/hosts% && $s =~ m%/etc/host\.conf%) { print $file, "\n"; }} else { print STDERR "Cannot open $file\n"; }}' # NOTE: # It seems that there are three vulnerable source files: gethostbydns.c, # getnetbydns.c, name6.c (according to # ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:28/resolv.patch) # The above one-liner detect these files, using the fact that # "gethostby*.gethostanswer: asked for" appears in gethostbydns.c, # "%u.%u.%u.%u.in-addr.arpa" appears in getnetbydns.c, and # "/etc/hosts", "/etc/host.conf" and "in-addr.arpa" appear in name6.c. -- /* NATORI Shin, natori@adm.s.u-tokyo.ac.jp */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message