Re: zlibscan : script to find suid binaries possibly affected by zlib vulnerability

• Previous message: NGSSoftware Insight Security Research: "2nd Buffer Overflow in Talentsoft's Web+ (#NISR13032002)"
• In reply to: hologram: "zlibscan : script to find suid binaries possibly affected by zlib vulnerability"
• Next in thread: Guy Poizat: "Re: zlibscan : script to find suid binaries possibly affected by zlib vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

> #!/bin/sh
> (ldd `find /bin -perm -4000` 2> /dev/null | grep zlib) > zlib.lst
> (ldd `find /sbin -perm -4000` 2> /dev/null | grep zlib) >> zlib.lst
> (ldd `find /usr/bin -perm -4000` 2> /dev/null | grep zlib) >> zlib.lst
> (ldd `find /etc -perm -4000` 2> /dev/null | grep zlib) >> zlib.lst
> (ldd `find /var -perm -4000` 2> /dev/null | grep zlib) >> zlib.lst

few comments:

1) wasn't the library called 'libz' instead of 'zlib'? at least
   so it is called on my system:

        # rpm -q -l zlib
         /usr/lib/libz.so.1

2) ldd is just shell wrapper, so for system wide search it is more
   efficent to call ld-linux directly (at least for linux systems)
   for example

        # ldd /sbin/askrunlevel | grep libz
                libz.so.1 => /usr/lib/libz.so.1 (0x400fa000)

        # /lib/ld-linux.so.2 --list /sbin/askrunlevel | grep libz
                libz.so.1 => /usr/lib/libz.so.1 (0x400e4000)

3) you are forgetting that library can call in turn call other
   libraries. so searching binary directories is not enough. you have
   to, at least, search library directories as well. for example:

        # /lib/ld-linux.so.2 --list /usr/lib/kcalc.so | grep libz
                libz.so.1 => /usr/lib/libz.so.1 (0x40be3000)

-- 
Adam
http://www.eax.com	The Supreme Headquarters of the 32 bit registers

• Previous message: NGSSoftware Insight Security Research: "2nd Buffer Overflow in Talentsoft's Web+ (#NISR13032002)"
• In reply to: hologram: "zlibscan : script to find suid binaries possibly affected by zlib vulnerability"
• Next in thread: Guy Poizat: "Re: zlibscan : script to find suid binaries possibly affected by zlib vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Wed Mar 13 2002 - 18:37:30 CET