TL;DR
You can scan an executable file to check if it uses vulnerable functions from the glibc ghost vulnerability (CVE-2015-0235) using tools like objdump, strings, or dedicated static analysis tools. This guide shows you how.
Scanning for Ghost Vulnerability
- Understand the Vulnerable Functions: The glibc ghost vulnerability affects functions related to name service resolution. Specifically, look for calls to these functions:
gethostbynamegethostbyname_rgetservbynamegetservbyport
- Using
strings: This is a quick and dirty method. It searches for ASCII strings within the executable.strings your_executable | grep -E "gethostbyname|gethostbyname_r|getservbyname|getservbyport"If any of these functions are found, it suggests potential use. However, this isn’t definitive as the strings might be present in libraries or comments.
- Using
objdump: This disassembler provides more accurate results by showing function calls.objdump -d your_executable | grep -E "gethostbyname|gethostbyname_r|getservbyname|getservbyport"Examine the output carefully. Look for actual call instructions (e.g.,
call gethostbyname). This indicates the executable directly calls these functions. - Using
readelf: This tool displays information about ELF files, including imported symbols.readelf -s your_executable | grep -E "gethostbyname|gethostbyname_r|getservbyname|getservbyport"Check if these functions are listed in the dynamic symbol table. This shows whether they’re being linked against glibc.
- Static Analysis Tools (Recommended): For a more reliable and comprehensive analysis, use static analysis tools like:
- IDA Pro: A powerful disassembler with advanced features for identifying function calls and dependencies.
- Ghidra: A free and open-source reverse engineering tool suite developed by the NSA. It offers similar capabilities to IDA Pro.
- Binary Ninja: Another commercial disassembler and static analysis platform.
These tools can help you trace function calls, identify vulnerable code paths, and understand how the executable interacts with glibc.
- Interpreting Results:
- Direct Calls: If
objdumpshows direct calls to the vulnerable functions, the executable is likely affected. - Indirect Calls (through libraries): Even if there are no direct calls, the executable might be using a library that calls these functions internally. Static analysis tools can help you identify such dependencies.
- False Positives: Be aware of potential false positives. The presence of function names in strings or symbol tables doesn’t necessarily mean the executable is vulnerable.
- Direct Calls: If
Important Note: Scanning for these functions only indicates *potential* vulnerability. A thorough security review and testing are essential to confirm whether the executable is actually exploitable.