我如何确定我的系统上安装的哪些程序可能容易受到 glibc 的 ghost bug 攻击?(假设系统有一个易受攻击的 libc6 库版本)。
类似帖子如何修补并保护 Linux 服务器免受 Glibc GHOST 漏洞 # CVE-2015-0235 的攻击很有帮助,但lsof
可能不是测试它的最佳方法。
答案1
好吧,方法不止一种。下面是我剥猫皮的方法。
#! /bin/sh
EXE_DIRECTORIES="/bin /sbin /usr/bin /usr/local/bin"
SO_DIRECTORIES="/lib /lib64 /usr/local/lib"
FILES=
VULNERABLE=
echo "Generating file list..."
for d in $EXE_DIRECTORIES ; do
TEMP=`find "$d" -type f -executable -exec file -i '{}' \; | grep 'x-executable; charset=binary' | cut -f 1 -d:`
for t in "$TEMP" ; do
FILES="$FILES $t"
done
done
for d in $SO_DIRECTORIES ; do
TEMP=`find "$d" -type f -executable -exec file -i '{}' \; | grep 'x-executable; charset=binary' | cut -f 1 -d:`
for t in "$TEMP" ; do
FILES="$FILES $t"
done
done
echo "Testing executables..."
for f in $FILES ; do
COUNT=`nm -D "$f" 2>/dev/null | grep gethostbyname | grep -c -w U`
if [ "$COUNT" -ne 0 ]; then
VULNERABLE="$VULNERABLE $f"
fi
done
COUNT1=`echo "$FILES" | wc -l`
COUNT2=`echo "$VULNERABLE" | grep -o " " | wc -l`
if [ "$COUNT2" -ne 0 ]; then
COUNT2=$(( $COUNT2 + 1 ))
fi
echo "Examined components: $COUNT1"
echo "Vulnerable components: $COUNT2"
echo "*****************************"
for v in $VULNERABLE ; do
echo "$v"
done
在典型的 Ubuntu 14 开发系统上,我得到的结果如下:
$ ./glibc-check.sh
Generating file list...
Testing executables...
Examined components: 961
Vulnerable components: 32
*****************************
/bin/ss
/bin/hostname
/bin/tar
/bin/cpio
/bin/netstat
/bin/ping
/bin/mt-gnu
/sbin/agetty
/sbin/route
/sbin/rarp
/sbin/ifconfig
/sbin/getty
/usr/bin/logger
/usr/bin/git-upload-pack
/usr/bin/aseqnet
/usr/bin/git
/usr/bin/telnet.netkit
/usr/bin/getent
/usr/bin/mtr
/usr/bin/mtools
/usr/bin/gethostip
/usr/bin/gdb
/usr/bin/tracepath
/usr/bin/python3.4m
/usr/bin/python2.7
/usr/bin/arping
/usr/bin/python3.4
/usr/bin/traceroute6.iputils
/usr/bin/openssl
/usr/bin/git-shell
/usr/bin/rsync
但它只是依赖于 libc6 的 19000 多个软件包的一个子集(它只是已安装的软件包;并且它的唯一组件位于众所周知的位置):
$ apt-cache rdepends libc6 | wc -l
19125