From owner-freebsd-security@FreeBSD.ORG Wed Mar 26 05:47:09 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AFB9137B404 for ; Wed, 26 Mar 2003 05:47:09 -0800 (PST) Received: from postfix.arnes.si (kanin.arnes.si [193.2.1.66]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6769A43F75 for ; Wed, 26 Mar 2003 05:47:08 -0800 (PST) (envelope-from uros.juvan@arnes.si) Received: from rzenik.arnes.si (rzenik.arnes.si [193.2.1.232]) by postfix.arnes.si (Postfix) with ESMTP id 43332A9E29 for ; Wed, 26 Mar 2003 14:47:07 +0100 (MET) Received: from arnes.si (grad.arnes.si [193.2.1.211]) by rzenik.arnes.si (Postfix) with ESMTP id AB94742B4B for ; Wed, 26 Mar 2003 14:47:06 +0100 (MET) Message-ID: <3E81AF6C.3060705@arnes.si> Date: Wed, 26 Mar 2003 14:47:24 +0100 From: Uros Juvan User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.3) Gecko/20030312 X-Accept-Language: en-us, en, sl MIME-Version: 1.0 Cc: security at FreeBSD References: <20030326102057.GC657@zi025.glhnet.mhn.de> <20030326061041.A17052@sheol.localdomain> <20030326130056.GD657@zi025.glhnet.mhn.de> <20030326071637.A17385@sheol.localdomain> In-Reply-To: <20030326071637.A17385@sheol.localdomain> X-Enigmail-Version: 0.73.1.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, hits=-28.6 required=5.0 tests=EMAIL_ATTRIBUTION,IN_REP_TO,MISSING_HEADERS,REFERENCES, REPLY_WITH_QUOTES,USER_AGENT_MOZILLA_UA autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) Subject: Re: what actually uses xdr_mem.c? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Mar 2003 13:47:12 -0000 Idea is cool, but it just won't work on staticaly linked files, you can test this with: # readelf -a /bin/ls for example :( I don't think there is 100% way of telling whether staticaly linked file is linked against vulnerable xdr_mem.o, especially because obviously rcsid string is undefined in source file. Exept of course searching for machine bytes composing vulnerable code :) Regards, Uros Juvan D J Hawkey Jr wrote: >On Mar 26, at 02:00 PM, Simon Barner wrote: > > >>As far as I understood your script, it scans the output of "readelf -a", and >>prints that file name if and only if this output contains "XDR" or "xdr". Will >>this work if the binary is stripped (sorry in case I just overlooked something >>stupid :-) >> >> > >Yes, it does. AFAIK, all base (and port?) software is [by default] stripped >on installation, and the environment I tested that command with had stripped >binaries. > >That isn't "stupid"; it took me a little while to work up that command >(I didn't even know about readelf(1) until someone mentioned it to me). >I'm no ELF expert - I'm no anything expert - but it appears that the ELF >format itself contains these "labels". > > > >>Regards, >> Simon >> >> > >Dave > > >