Date: Thu, 27 Jun 2002 13:42:46 +0900 (JST) From: NATORI Shin <natori@adm.s.u-tokyo.ac.jp> To: kevin.way@overtone.org Cc: brian@hyperreal.org, freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv Message-ID: <20020627.134246.66136331.natori@adm.s.u-tokyo.ac.jp> In-Reply-To: <20020627033441.GA99268@overtone.org> References: <Pine.NEB.3.96L.1020626162041.16603B-100000@fledge.watson.org> <20020626152851.Q310-100000@yez.hyperreal.org> <20020627033441.GA99268@overtone.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi,
From: Kevin Way <kevin.way@overtone.org>
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv
Date: Wed, 26 Jun 2002 23:34:41 -0400
> On Wed, Jun 26, 2002 at 03:29:45PM -0700, Brian Behlendorf wrote:
> > Sorry for the newbie question here, but is there a way to programmatically
> > determine which binaries on a system static-linked libc? I tried "nm" but
> > that needs non-stripped executables...
>
> quick, dirty, evil, and maybe even effective?
>
> -Kevin Way
>
> #!/usr/local/bin/bash
>
> function dir_walk()
> {
> for test in $1/*
> do
> if [ $test = '.' -o $test = '..' ]
> then
> break
> elif [ -d $test ]
> then
> dir_walk $test
> else
> do_something $test
> fi
> done
> }
>
> function do_something()
> {
> if file $1 | grep 'statically linked' > /dev/null 2>&1
> then
> echo "well shit, $1 is statically linked"
> fi
> }
>
> dir_walk /
Perhaps this one is faster
find / -type f -print0 | xargs -0 file | grep -i 'statically linked'
FYI: I used the following one-liner to detect vulnerable binaries.
This is not very effective, needs a lot of memory, and will not detect
vulnerable binaries that have been linked to old libc. Therefore I can
not make any guarantee, but at least it seems to work well on my box.
find / -type f -print0 | xargs -0 file | grep -i 'statically linked' | perl -e 'while (<>) { my ($file) = split(/:/); if (open(IN, "<$file")) { my $s = join("", <IN>); close(IN); if ($s =~ m%gethostby\*\.gethostanswer: asked for% || $s =~ m/%u\.%u\.%u\.%u\.in-addr\.arpa/ || $s =~ m%in-addr\.arpa% && $s =~ m%/etc/hosts% && $s =~ m%/etc/host\.conf%) { print $file, "\n"; }} else { print STDERR "Cannot open $file\n"; }}'
# NOTE:
# It seems that there are three vulnerable source files: gethostbydns.c,
# getnetbydns.c, name6.c (according to
# ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:28/resolv.patch)
# The above one-liner detect these files, using the fact that
# "gethostby*.gethostanswer: asked for" appears in gethostbydns.c,
# "%u.%u.%u.%u.in-addr.arpa" appears in getnetbydns.c, and
# "/etc/hosts", "/etc/host.conf" and "in-addr.arpa" appear in name6.c.
--
/* NATORI Shin, natori@adm.s.u-tokyo.ac.jp */
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020627.134246.66136331.natori>