Date: Thu, 27 Jun 2002 13:42:46 +0900 (JST) From: NATORI Shin <natori@adm.s.u-tokyo.ac.jp> To: kevin.way@overtone.org Cc: brian@hyperreal.org, freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv Message-ID: <20020627.134246.66136331.natori@adm.s.u-tokyo.ac.jp> In-Reply-To: <20020627033441.GA99268@overtone.org> References: <Pine.NEB.3.96L.1020626162041.16603B-100000@fledge.watson.org> <20020626152851.Q310-100000@yez.hyperreal.org> <20020627033441.GA99268@overtone.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, From: Kevin Way <kevin.way@overtone.org> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv Date: Wed, 26 Jun 2002 23:34:41 -0400 > On Wed, Jun 26, 2002 at 03:29:45PM -0700, Brian Behlendorf wrote: > > Sorry for the newbie question here, but is there a way to programmatically > > determine which binaries on a system static-linked libc? I tried "nm" but > > that needs non-stripped executables... > > quick, dirty, evil, and maybe even effective? > > -Kevin Way > > #!/usr/local/bin/bash > > function dir_walk() > { > for test in $1/* > do > if [ $test = '.' -o $test = '..' ] > then > break > elif [ -d $test ] > then > dir_walk $test > else > do_something $test > fi > done > } > > function do_something() > { > if file $1 | grep 'statically linked' > /dev/null 2>&1 > then > echo "well shit, $1 is statically linked" > fi > } > > dir_walk / Perhaps this one is faster find / -type f -print0 | xargs -0 file | grep -i 'statically linked' FYI: I used the following one-liner to detect vulnerable binaries. This is not very effective, needs a lot of memory, and will not detect vulnerable binaries that have been linked to old libc. Therefore I can not make any guarantee, but at least it seems to work well on my box. find / -type f -print0 | xargs -0 file | grep -i 'statically linked' | perl -e 'while (<>) { my ($file) = split(/:/); if (open(IN, "<$file")) { my $s = join("", <IN>); close(IN); if ($s =~ m%gethostby\*\.gethostanswer: asked for% || $s =~ m/%u\.%u\.%u\.%u\.in-addr\.arpa/ || $s =~ m%in-addr\.arpa% && $s =~ m%/etc/hosts% && $s =~ m%/etc/host\.conf%) { print $file, "\n"; }} else { print STDERR "Cannot open $file\n"; }}' # NOTE: # It seems that there are three vulnerable source files: gethostbydns.c, # getnetbydns.c, name6.c (according to # ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:28/resolv.patch) # The above one-liner detect these files, using the fact that # "gethostby*.gethostanswer: asked for" appears in gethostbydns.c, # "%u.%u.%u.%u.in-addr.arpa" appears in getnetbydns.c, and # "/etc/hosts", "/etc/host.conf" and "in-addr.arpa" appear in name6.c. -- /* NATORI Shin, natori@adm.s.u-tokyo.ac.jp */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020627.134246.66136331.natori>