[24661] in bugtraq
Re: zlibscan : script to find suid binaries possibly affected by
daemon@ATHENA.MIT.EDU (Adam)
Wed Mar 13 15:26:22 2002
Date: Tue, 12 Mar 2002 22:14:05 -0500 (EST)
From: Adam <adam@cfar.umd.edu>
To: hologram <holo@brained.org>
Cc: <bugtraq@securityfocus.com>, <vulnwatch@vulnwatch.org>
In-Reply-To: <Pine.BSO.4.33.0203112131260.11537-100000@brained.org>
Message-ID: <Pine.GSO.4.33.0203122207380.8239-100000@chia.umiacs.umd.edu>
Content-Type-X: multipart/mixed; boundary="------------3897B7E0F65FF08A89ED6C92"
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
> #!/bin/sh
> (ldd `find /bin -perm -4000` 2> /dev/null | grep zlib) > zlib.lst
> (ldd `find /sbin -perm -4000` 2> /dev/null | grep zlib) >> zlib.lst
> (ldd `find /usr/bin -perm -4000` 2> /dev/null | grep zlib) >> zlib.lst
> (ldd `find /etc -perm -4000` 2> /dev/null | grep zlib) >> zlib.lst
> (ldd `find /var -perm -4000` 2> /dev/null | grep zlib) >> zlib.lst
few comments:
1) wasn't the library called 'libz' instead of 'zlib'? at least
so it is called on my system:
# rpm -q -l zlib
/usr/lib/libz.so.1
2) ldd is just shell wrapper, so for system wide search it is more
efficent to call ld-linux directly (at least for linux systems)
for example
# ldd /sbin/askrunlevel | grep libz
libz.so.1 => /usr/lib/libz.so.1 (0x400fa000)
# /lib/ld-linux.so.2 --list /sbin/askrunlevel | grep libz
libz.so.1 => /usr/lib/libz.so.1 (0x400e4000)
3) you are forgetting that library can call in turn call other
libraries. so searching binary directories is not enough. you have
to, at least, search library directories as well. for example:
# /lib/ld-linux.so.2 --list /usr/lib/kcalc.so | grep libz
libz.so.1 => /usr/lib/libz.so.1 (0x40be3000)
--
Adam
http://www.eax.com The Supreme Headquarters of the 32 bit registers
