Libraries and Dependencies - It Really is Turtles All The Way Down!
There's been a fair amount of discussion in recent months, especially in IoT circles, about application dependencies - especially with respect to encryption and vulnerabilities in libraries. For instance - in version x of a product, which libraries are used? The salesfolks will stop there, but more importantly, which libraries and DLLs do my libraries and DLL's use, and so on? If you go 3 levels deep, will you maybe find a statically linked openssl lib that's vulnerable to poodle or something else?
In Windows, you can get that first pass using Powershell:
PS C:\test> start-process -PassThru c:\windows\notepad.exe | get-process -module
Size(K) ModuleName FileName
------- ---------- --------
212 notepad.exe C:\windows\not...
1700 ntdll.dll C:\Windows\SYS...
1152 kernel32.dll C:\Windows\sys...
432 KERNELBASE.dll C:\Windows\sys...
544 SYSFER.DLL C:\Windows\Sys...
876 ADVAPI32.dll C:\Windows\sys...
636 msvcrt.dll C:\Windows\sys...
or, more verbosely (this is the listing that you really want):
PS C:\test> start-process -PassThru c:\windows\notepad.exe | get-process -module -fileversioninfo
ProductVersion FileVersion FileName
-------------- ----------- --------
6.1.7600.16385 6.1.7600.1638... C:\windows\notepad.exe
6.1.7600.16385 6.1.7600.1638... C:\Windows\SYSTEM32\ntdll.dll
6.1.7601.18015 6.1.7601.1801... C:\Windows\system32\kernel32.dll
6.1.7601.18015 6.1.7601.1801... C:\Windows\system32\KERNELBASE.dll
12.1.5337.5000 12.1.5337.5000 C:\Windows\System32\SYSFER.DLL
6.1.7601.18869 6.1.7601.1886... C:\Windows\system32\ADVAPI32.dll
7.0.7601.17744 7.0.7601.1774... C:\Windows\system32\msvcrt.dll
6.1.7600.16385 6.1.7600.1638... C:\Windows\SYSTEM32\sechost.dll
6.1.7600.16385 6.1.7600.1638... C:\Windows\system32\RPCRT4.dll
6.1.7601.18898 6.1.7601.1889... C:\Windows\system32\GDI32.dll
6.1.7601.17514 6.1.7601.1751... C:\Windows\system32\USER32.dll
6.1.7601.18985 6.1.7601.1898... C:\Windows\system32\LPK.dll
1.0626.7601.1... 1.0626.7601.1... C:\Windows\system32\USP10.dll
6.1.7600.16385 6.1.7600.1638... C:\Windows\system32\COMDLG32.dll
6.1.7600.16385 6.1.7600.1638... C:\Windows\system32\SHLWAPI.dll
6.1.7600.16385 6.10 (win7_rt... C:\Windows\WinSxS\amd64_microsoft.windows....
6.1.7601.17514 6.1.7601.1751... C:\Windows\system32\SHELL32.dll
6.1.7600.16385 6.1.7600.1638... C:\Windows\system32\WINSPOOL.DRV
6.1.7600.16385 6.1.7600.1638... C:\Windows\system32\ole32.dll
6.1.7601.18679 6.1.7601.18679 C:\Windows\system32\OLEAUT32.dll
6.1.7600.16385 6.1.7600.1638... C:\Windows\system32\VERSION.dll
6.1.7600.16385 6.1.7600.1638... C:\Windows\system32\IMM32.DLL
6.1.7600.16385 6.1.7600.1638... C:\Windows\system32\MSCTF.dll
9.18.13.4149 9.18.13.4149 C:\Windows\system32\nvinitx.dll
But that doesn't show the dependecy tree (if someone knows how to do this in Powershell, please use the comment form and let us all know!).
Dependency Walker does a decent job of this for Windows apps (http://dependencywalker.com/). A simple run of "depends.exe /c /oc:dependencies-np.csv /ot:dependencies-np.txt c:\windows\notepad.exe" gives us a much more complete dependency tree listing (over 3000 lines in my system):
[ 6] c:\windows\NOTEPAD.EXE
[ 6] c:\windows\system32\ADVAPI32.DLL
[ ^6] c:\windows\system32\MSVCRT.DLL
[F^6] c:\windows\system32\NTDLL.DLL
[ ^6] c:\windows\system32\NTDLL.DLL
[ 6] c:\windows\system32\KERNELBASE.DLL
[ ^6] c:\windows\system32\NTDLL.DLL
[ 6] c:\windows\system32\API-MS-WIN-SERVICE-CORE-L1-1-0.DLL
[ 6] c:\windows\system32\API-MS-WIN-SERVICE-WINSVC-L1-1-0.DLL
[ 6] c:\windows\system32\API-MS-WIN-SERVICE-MANAGEMENT-L1-1-0.DLL
[ 6] c:\windows\system32\API-MS-WIN-SERVICE-MANAGEMENT-L2-1-0.DLL
(... and so on)
This isn't something you need every day - but if you are auditing code to see what's inside of it, to see if you are using a vulnerable library 2 or 3 levels deep, it's invaluable. No matter how good your processes are, there will always be some reference to an old library left over that someone thought was deleted, a dll used by a library you bought (or downloaded) that you didn't know was statically linked in there, or something a dev used "just for testing" that never got removed.
In Linux? Much easier- ldd (with a -v argument) does the trick there - in OSX you would use "otool -L". For instance, to get the full dependency tree for vi:
ldd -v /usr/bin/vi > vi-tree.out
This gives me a 465 line tree of libraries! (on kali 2.0). Without the tree listing, it's down to 65 unique libs, but that's still a solid bit of work to plow through to come to the answer of "Are all my libraries up to date? Am I vulnerable to something I wasn't aware of?" Tools like CVE Search can simplify this task, but there's still some plain old hard work involved!
Similarly, if you work in the mobile space, on android you might use ldd-arm or maybe ndk-depends. What do you use to get a similar tree listing for iOS?
If you've found a better way to tackle this problem (on whatever OS) that I've overlooked, please - use our comment form and post some code!
===============
Rob VandenBrink
Compugen
Comments
Turn on SAFER without restrictions just to log all executables: see http://seclists.org/fulldisclosure/2015/Nov/101
Anonymous
Dec 24th 2015
8 years ago
Anonymous
Dec 24th 2015
8 years ago
You can also manage your own db of hashes from a clean computer. I wrote a diary on this topic: https://isc.sans.edu/forums/diary/Detecting+file+changes+on+Microsoft+systems+with+FCIV/20091 (for Microsoft systems)
Anonymous
Dec 24th 2015
8 years ago
They are also protected by the "Windows File/Resource Protection".
Use WinVerifyTrust() to check the signatures.
On Linux, both installation packages as well as their contents are cryptographically signed too; check their detached signatures.
Anonymous
Dec 25th 2015
8 years ago
Anonymous
Jan 4th 2016
8 years ago