Date: Wed, 26 Mar 2003 14:47:24 +0100 From: Uros Juvan <uros.juvan@arnes.si> Cc: security at FreeBSD <freebsd-security@freebsd.org> Subject: Re: what actually uses xdr_mem.c? Message-ID: <3E81AF6C.3060705@arnes.si> In-Reply-To: <20030326071637.A17385@sheol.localdomain> References: <Pine.LNX.4.43.0303252144400.21019-100000@pilchuck.reedmedia.net> <20030326102057.GC657@zi025.glhnet.mhn.de> <20030326061041.A17052@sheol.localdomain> <20030326130056.GD657@zi025.glhnet.mhn.de> <20030326071637.A17385@sheol.localdomain>
next in thread | previous in thread | raw e-mail | index | archive | help
Idea is cool, but it just won't work on staticaly linked files, you can test this with: # readelf -a /bin/ls for example :( I don't think there is 100% way of telling whether staticaly linked file is linked against vulnerable xdr_mem.o, especially because obviously rcsid string is undefined in source file. Exept of course searching for machine bytes composing vulnerable code :) Regards, Uros Juvan D J Hawkey Jr wrote: >On Mar 26, at 02:00 PM, Simon Barner wrote: > > >>As far as I understood your script, it scans the output of "readelf -a", and >>prints that file name if and only if this output contains "XDR" or "xdr". Will >>this work if the binary is stripped (sorry in case I just overlooked something >>stupid :-) >> >> > >Yes, it does. AFAIK, all base (and port?) software is [by default] stripped >on installation, and the environment I tested that command with had stripped >binaries. > >That isn't "stupid"; it took me a little while to work up that command >(I didn't even know about readelf(1) until someone mentioned it to me). >I'm no ELF expert - I'm no anything expert - but it appears that the ELF >format itself contains these "labels". > > > >>Regards, >> Simon >> >> > >Dave > > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E81AF6C.3060705>