Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 27 Jun 2002 13:42:46 +0900 (JST)
From:      NATORI Shin <natori@adm.s.u-tokyo.ac.jp>
To:        kevin.way@overtone.org
Cc:        brian@hyperreal.org, freebsd-security@freebsd.org
Subject:   Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv
Message-ID:  <20020627.134246.66136331.natori@adm.s.u-tokyo.ac.jp>
In-Reply-To: <20020627033441.GA99268@overtone.org>
References:  <Pine.NEB.3.96L.1020626162041.16603B-100000@fledge.watson.org> <20020626152851.Q310-100000@yez.hyperreal.org> <20020627033441.GA99268@overtone.org>

next in thread | previous in thread | raw e-mail | index | archive | help
Hi,

From: Kevin Way <kevin.way@overtone.org>
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv
Date: Wed, 26 Jun 2002 23:34:41 -0400

> On Wed, Jun 26, 2002 at 03:29:45PM -0700, Brian Behlendorf wrote:
> > Sorry for the newbie question here, but is there a way to programmatically
> > determine which binaries on a system static-linked libc?  I tried "nm" but
> > that needs non-stripped executables...
> 
> quick, dirty, evil, and maybe even effective?
> 
> -Kevin Way
> 
> #!/usr/local/bin/bash
> 
> function dir_walk()
> {
>     for test in $1/*
>     do
>         if [ $test = '.' -o $test = '..' ]
>         then
>             break
>         elif [ -d $test ]
>         then
>             dir_walk $test
>         else
>             do_something $test
>         fi
>     done
> }
> 
> function do_something()
> {
>     if file $1 | grep 'statically linked' > /dev/null 2>&1
>     then
>         echo "well shit, $1 is statically linked"
>     fi
> }
> 
> dir_walk /

Perhaps this one is faster

find / -type f -print0 | xargs -0 file | grep -i 'statically linked'

FYI: I used the following one-liner to detect vulnerable binaries.
This is not very effective, needs a lot of memory, and will not detect
vulnerable binaries that have been linked to old libc. Therefore I can
not make any guarantee, but at least it seems to work well on my box.

find / -type f -print0 | xargs -0 file | grep -i 'statically linked' | perl -e 'while (<>) { my ($file) = split(/:/); if (open(IN, "<$file")) { my $s = join("", <IN>); close(IN); if ($s =~ m%gethostby\*\.gethostanswer: asked for% || $s =~ m/%u\.%u\.%u\.%u\.in-addr\.arpa/ || $s =~ m%in-addr\.arpa% && $s =~ m%/etc/hosts% && $s =~ m%/etc/host\.conf%) { print $file, "\n"; }} else { print STDERR "Cannot open $file\n"; }}'
# NOTE:
#   It seems that there are three vulnerable source files: gethostbydns.c,
#   getnetbydns.c, name6.c (according to 
#   ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:28/resolv.patch)
#   The above one-liner detect these files, using the fact that
#   "gethostby*.gethostanswer: asked for" appears in gethostbydns.c,
#   "%u.%u.%u.%u.in-addr.arpa"            appears in getnetbydns.c, and
#   "/etc/hosts", "/etc/host.conf" and "in-addr.arpa" appear in name6.c.
--
/* NATORI Shin, natori@adm.s.u-tokyo.ac.jp */

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020627.134246.66136331.natori>