Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Libraries and Dependencies - It Really is Turtles All The Way Down! - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Libraries and Dependencies - It Really is Turtles All The Way Down!

There's been a fair amount of discussion in recent months, especially in IoT circles, about application dependencies - especially with respect to encryption and vulnerabilities in libraries.  For instance - in version x of a product, which libraries are used?  The salesfolks will stop there, but more importantly, which libraries and DLLs do my libraries and DLL's use, and so on?   If you go 3 levels deep, will you maybe find a statically linked openssl lib that's vulnerable to poodle or something else?

In Windows, you can get that first pass using Powershell:

PS C:\test> start-process -PassThru c:\windows\notepad.exe | get-process -module
   Size(K) ModuleName                                         FileName
   ------- ----------                                         --------
       212 notepad.exe                                        C:\windows\not...
      1700 ntdll.dll                                          C:\Windows\SYS...
      1152 kernel32.dll                                       C:\Windows\sys...
       432 KERNELBASE.dll                                     C:\Windows\sys...
       544 SYSFER.DLL                                         C:\Windows\Sys...
       876 ADVAPI32.dll                                       C:\Windows\sys...
       636 msvcrt.dll                                         C:\Windows\sys...

or, more verbosely (this is the listing that you really want):

 

PS C:\test> start-process -PassThru c:\windows\notepad.exe | get-process -module  -fileversioninfo

ProductVersion   FileVersion      FileName
--------------   -----------      --------
6.1.7600.16385   6.1.7600.1638... C:\windows\notepad.exe
6.1.7600.16385   6.1.7600.1638... C:\Windows\SYSTEM32\ntdll.dll
6.1.7601.18015   6.1.7601.1801... C:\Windows\system32\kernel32.dll
6.1.7601.18015   6.1.7601.1801... C:\Windows\system32\KERNELBASE.dll
12.1.5337.5000   12.1.5337.5000   C:\Windows\System32\SYSFER.DLL
6.1.7601.18869   6.1.7601.1886... C:\Windows\system32\ADVAPI32.dll
7.0.7601.17744   7.0.7601.1774... C:\Windows\system32\msvcrt.dll
6.1.7600.16385   6.1.7600.1638... C:\Windows\SYSTEM32\sechost.dll
6.1.7600.16385   6.1.7600.1638... C:\Windows\system32\RPCRT4.dll
6.1.7601.18898   6.1.7601.1889... C:\Windows\system32\GDI32.dll
6.1.7601.17514   6.1.7601.1751... C:\Windows\system32\USER32.dll
6.1.7601.18985   6.1.7601.1898... C:\Windows\system32\LPK.dll
1.0626.7601.1... 1.0626.7601.1... C:\Windows\system32\USP10.dll
6.1.7600.16385   6.1.7600.1638... C:\Windows\system32\COMDLG32.dll
6.1.7600.16385   6.1.7600.1638... C:\Windows\system32\SHLWAPI.dll
6.1.7600.16385   6.10 (win7_rt... C:\Windows\WinSxS\amd64_microsoft.windows....
6.1.7601.17514   6.1.7601.1751... C:\Windows\system32\SHELL32.dll
6.1.7600.16385   6.1.7600.1638... C:\Windows\system32\WINSPOOL.DRV
6.1.7600.16385   6.1.7600.1638... C:\Windows\system32\ole32.dll
6.1.7601.18679   6.1.7601.18679   C:\Windows\system32\OLEAUT32.dll
6.1.7600.16385   6.1.7600.1638... C:\Windows\system32\VERSION.dll
6.1.7600.16385   6.1.7600.1638... C:\Windows\system32\IMM32.DLL
6.1.7600.16385   6.1.7600.1638... C:\Windows\system32\MSCTF.dll
9.18.13.4149     9.18.13.4149     C:\Windows\system32\nvinitx.dll

But that doesn't show the dependecy tree (if someone knows how to do this in Powershell, please use the comment form and let us all know!).

Dependency Walker does a decent job of this for Windows apps (http://dependencywalker.com/).  A simple run of "depends.exe /c /oc:dependencies-np.csv /ot:dependencies-np.txt c:\windows\notepad.exe" gives us a much more complete dependency tree listing (over 3000 lines in my system):

[  6] c:\windows\NOTEPAD.EXE
     [  6] c:\windows\system32\ADVAPI32.DLL
          [ ^6] c:\windows\system32\MSVCRT.DLL
               [F^6] c:\windows\system32\NTDLL.DLL
          [ ^6] c:\windows\system32\NTDLL.DLL
          [  6] c:\windows\system32\KERNELBASE.DLL
               [ ^6] c:\windows\system32\NTDLL.DLL
          [  6] c:\windows\system32\API-MS-WIN-SERVICE-CORE-L1-1-0.DLL
          [  6] c:\windows\system32\API-MS-WIN-SERVICE-WINSVC-L1-1-0.DLL
          [  6] c:\windows\system32\API-MS-WIN-SERVICE-MANAGEMENT-L1-1-0.DLL
          [  6] c:\windows\system32\API-MS-WIN-SERVICE-MANAGEMENT-L2-1-0.DLL
       (... and so on)

This isn't something you need every day - but if you are auditing code to see what's inside of it, to see if you are using a vulnerable library 2 or 3 levels deep, it's invaluable.  No matter how good your processes are, there will always be some reference to an old library left over that someone thought  was deleted, a dll used by a library you bought (or downloaded) that you didn't know was statically linked in there, or something a dev used "just for testing" that never got removed.

In Linux?  Much easier- ldd (with a -v argument) does the trick there - in OSX you would use "otool -L". For instance, to get the full dependency tree for vi:

ldd -v /usr/bin/vi > vi-tree.out

This gives me a 465 line tree of libraries!  (on kali 2.0).  Without the tree listing, it's down to 65 unique libs, but that's still a solid bit of work to plow through to come to the answer of "Are all my libraries up to date?  Am I vulnerable to something I wasn't aware of?"  Tools like CVE Search can simplify this task, but there's still some plain old hard work involved!

Similarly, if you work in the mobile space, on android you might use ldd-arm or maybe ndk-depends.  What do you use to get a similar tree listing for iOS?

If you've found a better way to tackle this problem (on whatever OS) that I've overlooked, please - use our comment form and post some code!

===============
Rob VandenBrink
Compugen

Rob VandenBrink

497 Posts
ISC Handler
PowerShell sees only a snapshot, and DepencyWalker can't list DLLs which are loaded during runtime.

Turn on SAFER without restrictions just to log all executables: see http://seclists.org/fulldisclosure/2015/Nov/101
Anonymous
Is there anywhere admins can validate if the md5s on their systems are malicious? I assume that is how herdprotect works. It is so easy to find gigantic password files (rockyou.txt), but I don't see any huge files online offering known good (or bad) md5 hashes for windows or linux files.
mabraFoo

9 Posts
Have a look at the NSRL project (National Software Reference Library).
You can also manage your own db of hashes from a clean computer. I wrote a diary on this topic: isc.sans.edu/forums/diary/Detecting+file+changes+on+Microsoft+systems+with+FCIV/… (for Microsoft systems)
Xme

458 Posts
ISC Handler
Windows system files are cryptographically signed by Microsoft.
They are also protected by the "Windows File/Resource Protection".
Use WinVerifyTrust() to check the signatures.

On Linux, both installation packages as well as their contents are cryptographically signed too; check their detached signatures.
Anonymous
Can't you do this with listdlls.exe (part of the SysInternals suite)? Maybe it doesn't dig deep enough (dlls that load dlls). Also, some of the SysInternals suite can submit the MD5 to Virus Total. I'm not sure if listdlls.exe can or not. If not, you may be able to see if Mark Russinovich will add it in since he has it implemented for some of the other tools like autorunsc.exe. If you submit to VT using SysInternals it is free.
Justin

8 Posts

Sign Up for Free or Log In to start participating in the conversation!