Blog | G5 Cyber Security

Scan Executable for Ghost Vulnerability

G5 Cyber Security

TL;DR

You can scan an executable file to check if it uses vulnerable functions from the glibc ghost vulnerability (CVE-2015-0235) using tools like objdump, strings, or dedicated static analysis tools. This guide shows you how.

Scanning for Ghost Vulnerability

  1. Understand the Vulnerable Functions: The glibc ghost vulnerability affects functions related to name service resolution. Specifically, look for calls to these functions:
    • gethostbyname
    • gethostbyname_r
    • getservbyname
    • getservbyport
  2. Using strings: This is a quick and dirty method. It searches for ASCII strings within the executable. 
    strings your_executable | grep -E "gethostbyname|gethostbyname_r|getservbyname|getservbyport"

    If any of these functions are found, it suggests potential use. However, this isn’t definitive as the strings might be present in libraries or comments.

  3. Using objdump: This disassembler provides more accurate results by showing function calls. 
    objdump -d your_executable | grep -E "gethostbyname|gethostbyname_r|getservbyname|getservbyport"

    Examine the output carefully. Look for actual call instructions (e.g., call gethostbyname). This indicates the executable directly calls these functions.

  4. Using readelf: This tool displays information about ELF files, including imported symbols. 
    readelf -s your_executable | grep -E "gethostbyname|gethostbyname_r|getservbyname|getservbyport"

    Check if these functions are listed in the dynamic symbol table. This shows whether they’re being linked against glibc.

  5. Static Analysis Tools (Recommended): For a more reliable and comprehensive analysis, use static analysis tools like:
    • IDA Pro: A powerful disassembler with advanced features for identifying function calls and dependencies.
    • Ghidra: A free and open-source reverse engineering tool suite developed by the NSA. It offers similar capabilities to IDA Pro.
    • Binary Ninja: Another commercial disassembler and static analysis platform.

    These tools can help you trace function calls, identify vulnerable code paths, and understand how the executable interacts with glibc.

  6. Interpreting Results:
    • Direct Calls: If objdump shows direct calls to the vulnerable functions, the executable is likely affected.
    • Indirect Calls (through libraries): Even if there are no direct calls, the executable might be using a library that calls these functions internally. Static analysis tools can help you identify such dependencies.
    • False Positives: Be aware of potential false positives. The presence of function names in strings or symbol tables doesn’t necessarily mean the executable is vulnerable.

Important Note: Scanning for these functions only indicates *potential* vulnerability. A thorough security review and testing are essential to confirm whether the executable is actually exploitable.

Exit mobile version