Threat Level: green Handler on Duty: Jim Clausing

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2015-12-23 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Libraries and Dependencies - It Really is Turtles All The Way Down!

Published: 2015-12-23
Last Updated: 2015-12-23 16:25:39 UTC
by Rob VandenBrink (Version: 1)
5 comment(s)

There's been a fair amount of discussion in recent months, especially in IoT circles, about application dependencies - especially with respect to encryption and vulnerabilities in libraries.  For instance - in version x of a product, which libraries are used?  The salesfolks will stop there, but more importantly, which libraries and DLLs do my libraries and DLL's use, and so on?   If you go 3 levels deep, will you maybe find a statically linked openssl lib that's vulnerable to poodle or something else?

In Windows, you can get that first pass using Powershell:

PS C:\test> start-process -PassThru c:\windows\notepad.exe | get-process -module
   Size(K) ModuleName                                         FileName
   ------- ----------                                         --------
       212 notepad.exe                                        C:\windows\not...
      1700 ntdll.dll                                          C:\Windows\SYS...
      1152 kernel32.dll                                       C:\Windows\sys...
       432 KERNELBASE.dll                                     C:\Windows\sys...
       544 SYSFER.DLL                                         C:\Windows\Sys...
       876 ADVAPI32.dll                                       C:\Windows\sys...
       636 msvcrt.dll                                         C:\Windows\sys...

or, more verbosely (this is the listing that you really want):

 

PS C:\test> start-process -PassThru c:\windows\notepad.exe | get-process -module  -fileversioninfo

ProductVersion   FileVersion      FileName
--------------   -----------      --------
6.1.7600.16385   6.1.7600.1638... C:\windows\notepad.exe
6.1.7600.16385   6.1.7600.1638... C:\Windows\SYSTEM32\ntdll.dll
6.1.7601.18015   6.1.7601.1801... C:\Windows\system32\kernel32.dll
6.1.7601.18015   6.1.7601.1801... C:\Windows\system32\KERNELBASE.dll
12.1.5337.5000   12.1.5337.5000   C:\Windows\System32\SYSFER.DLL
6.1.7601.18869   6.1.7601.1886... C:\Windows\system32\ADVAPI32.dll
7.0.7601.17744   7.0.7601.1774... C:\Windows\system32\msvcrt.dll
6.1.7600.16385   6.1.7600.1638... C:\Windows\SYSTEM32\sechost.dll
6.1.7600.16385   6.1.7600.1638... C:\Windows\system32\RPCRT4.dll
6.1.7601.18898   6.1.7601.1889... C:\Windows\system32\GDI32.dll
6.1.7601.17514   6.1.7601.1751... C:\Windows\system32\USER32.dll
6.1.7601.18985   6.1.7601.1898... C:\Windows\system32\LPK.dll
1.0626.7601.1... 1.0626.7601.1... C:\Windows\system32\USP10.dll
6.1.7600.16385   6.1.7600.1638... C:\Windows\system32\COMDLG32.dll
6.1.7600.16385   6.1.7600.1638... C:\Windows\system32\SHLWAPI.dll
6.1.7600.16385   6.10 (win7_rt... C:\Windows\WinSxS\amd64_microsoft.windows....
6.1.7601.17514   6.1.7601.1751... C:\Windows\system32\SHELL32.dll
6.1.7600.16385   6.1.7600.1638... C:\Windows\system32\WINSPOOL.DRV
6.1.7600.16385   6.1.7600.1638... C:\Windows\system32\ole32.dll
6.1.7601.18679   6.1.7601.18679   C:\Windows\system32\OLEAUT32.dll
6.1.7600.16385   6.1.7600.1638... C:\Windows\system32\VERSION.dll
6.1.7600.16385   6.1.7600.1638... C:\Windows\system32\IMM32.DLL
6.1.7600.16385   6.1.7600.1638... C:\Windows\system32\MSCTF.dll
9.18.13.4149     9.18.13.4149     C:\Windows\system32\nvinitx.dll

But that doesn't show the dependecy tree (if someone knows how to do this in Powershell, please use the comment form and let us all know!).

Dependency Walker does a decent job of this for Windows apps (http://dependencywalker.com/).  A simple run of "depends.exe /c /oc:dependencies-np.csv /ot:dependencies-np.txt c:\windows\notepad.exe" gives us a much more complete dependency tree listing (over 3000 lines in my system):

[  6] c:\windows\NOTEPAD.EXE
     [  6] c:\windows\system32\ADVAPI32.DLL
          [ ^6] c:\windows\system32\MSVCRT.DLL
               [F^6] c:\windows\system32\NTDLL.DLL
          [ ^6] c:\windows\system32\NTDLL.DLL
          [  6] c:\windows\system32\KERNELBASE.DLL
               [ ^6] c:\windows\system32\NTDLL.DLL
          [  6] c:\windows\system32\API-MS-WIN-SERVICE-CORE-L1-1-0.DLL
          [  6] c:\windows\system32\API-MS-WIN-SERVICE-WINSVC-L1-1-0.DLL
          [  6] c:\windows\system32\API-MS-WIN-SERVICE-MANAGEMENT-L1-1-0.DLL
          [  6] c:\windows\system32\API-MS-WIN-SERVICE-MANAGEMENT-L2-1-0.DLL
       (... and so on)

This isn't something you need every day - but if you are auditing code to see what's inside of it, to see if you are using a vulnerable library 2 or 3 levels deep, it's invaluable.  No matter how good your processes are, there will always be some reference to an old library left over that someone thought  was deleted, a dll used by a library you bought (or downloaded) that you didn't know was statically linked in there, or something a dev used "just for testing" that never got removed.

In Linux?  Much easier- ldd (with a -v argument) does the trick there - in OSX you would use "otool -L". For instance, to get the full dependency tree for vi:

ldd -v /usr/bin/vi > vi-tree.out

This gives me a 465 line tree of libraries!  (on kali 2.0).  Without the tree listing, it's down to 65 unique libs, but that's still a solid bit of work to plow through to come to the answer of "Are all my libraries up to date?  Am I vulnerable to something I wasn't aware of?"  Tools like CVE Search can simplify this task, but there's still some plain old hard work involved!

Similarly, if you work in the mobile space, on android you might use ldd-arm or maybe ndk-depends.  What do you use to get a similar tree listing for iOS?

If you've found a better way to tackle this problem (on whatever OS) that I've overlooked, please - use our comment form and post some code!

===============
Rob VandenBrink
Compugen

5 comment(s)
Diary Archives