Libraries and Dependencies - It Really is Turtles All The Way Down!

Published: 2015-12-23
Last Updated: 2015-12-23 16:25:39 UTC
by Rob VandenBrink (Version: 1)
5 comment(s)

There's been a fair amount of discussion in recent months, especially in IoT circles, about application dependencies - especially with respect to encryption and vulnerabilities in libraries.  For instance - in version x of a product, which libraries are used?  The salesfolks will stop there, but more importantly, which libraries and DLLs do my libraries and DLL's use, and so on?   If you go 3 levels deep, will you maybe find a statically linked openssl lib that's vulnerable to poodle or something else?

In Windows, you can get that first pass using Powershell:

PS C:\test> start-process -PassThru c:\windows\notepad.exe | get-process -module
   Size(K) ModuleName                                         FileName
   ------- ----------                                         --------
       212 notepad.exe                                        C:\windows\not...
      1700 ntdll.dll                                          C:\Windows\SYS...
      1152 kernel32.dll                                       C:\Windows\sys...
       432 KERNELBASE.dll                                     C:\Windows\sys...
       544 SYSFER.DLL                                         C:\Windows\Sys...
       876 ADVAPI32.dll                                       C:\Windows\sys...
       636 msvcrt.dll                                         C:\Windows\sys...

or, more verbosely (this is the listing that you really want):


PS C:\test> start-process -PassThru c:\windows\notepad.exe | get-process -module  -fileversioninfo

ProductVersion   FileVersion      FileName
--------------   -----------      --------
6.1.7600.16385   6.1.7600.1638... C:\windows\notepad.exe
6.1.7600.16385   6.1.7600.1638... C:\Windows\SYSTEM32\ntdll.dll
6.1.7601.18015   6.1.7601.1801... C:\Windows\system32\kernel32.dll
6.1.7601.18015   6.1.7601.1801... C:\Windows\system32\KERNELBASE.dll
12.1.5337.5000   12.1.5337.5000   C:\Windows\System32\SYSFER.DLL
6.1.7601.18869   6.1.7601.1886... C:\Windows\system32\ADVAPI32.dll
7.0.7601.17744   7.0.7601.1774... C:\Windows\system32\msvcrt.dll
6.1.7600.16385   6.1.7600.1638... C:\Windows\SYSTEM32\sechost.dll
6.1.7600.16385   6.1.7600.1638... C:\Windows\system32\RPCRT4.dll
6.1.7601.18898   6.1.7601.1889... C:\Windows\system32\GDI32.dll
6.1.7601.17514   6.1.7601.1751... C:\Windows\system32\USER32.dll
6.1.7601.18985   6.1.7601.1898... C:\Windows\system32\LPK.dll
1.0626.7601.1... 1.0626.7601.1... C:\Windows\system32\USP10.dll
6.1.7600.16385   6.1.7600.1638... C:\Windows\system32\COMDLG32.dll
6.1.7600.16385   6.1.7600.1638... C:\Windows\system32\SHLWAPI.dll
6.1.7600.16385   6.10 (win7_rt... C:\Windows\WinSxS\
6.1.7601.17514   6.1.7601.1751... C:\Windows\system32\SHELL32.dll
6.1.7600.16385   6.1.7600.1638... C:\Windows\system32\WINSPOOL.DRV
6.1.7600.16385   6.1.7600.1638... C:\Windows\system32\ole32.dll
6.1.7601.18679   6.1.7601.18679   C:\Windows\system32\OLEAUT32.dll
6.1.7600.16385   6.1.7600.1638... C:\Windows\system32\VERSION.dll
6.1.7600.16385   6.1.7600.1638... C:\Windows\system32\IMM32.DLL
6.1.7600.16385   6.1.7600.1638... C:\Windows\system32\MSCTF.dll     C:\Windows\system32\nvinitx.dll

But that doesn't show the dependecy tree (if someone knows how to do this in Powershell, please use the comment form and let us all know!).

Dependency Walker does a decent job of this for Windows apps (  A simple run of "depends.exe /c /oc:dependencies-np.csv /ot:dependencies-np.txt c:\windows\notepad.exe" gives us a much more complete dependency tree listing (over 3000 lines in my system):

[  6] c:\windows\NOTEPAD.EXE
     [  6] c:\windows\system32\ADVAPI32.DLL
          [ ^6] c:\windows\system32\MSVCRT.DLL
               [F^6] c:\windows\system32\NTDLL.DLL
          [ ^6] c:\windows\system32\NTDLL.DLL
          [  6] c:\windows\system32\KERNELBASE.DLL
               [ ^6] c:\windows\system32\NTDLL.DLL
          [  6] c:\windows\system32\API-MS-WIN-SERVICE-CORE-L1-1-0.DLL
          [  6] c:\windows\system32\API-MS-WIN-SERVICE-WINSVC-L1-1-0.DLL
          [  6] c:\windows\system32\API-MS-WIN-SERVICE-MANAGEMENT-L1-1-0.DLL
          [  6] c:\windows\system32\API-MS-WIN-SERVICE-MANAGEMENT-L2-1-0.DLL
       (... and so on)

This isn't something you need every day - but if you are auditing code to see what's inside of it, to see if you are using a vulnerable library 2 or 3 levels deep, it's invaluable.  No matter how good your processes are, there will always be some reference to an old library left over that someone thought  was deleted, a dll used by a library you bought (or downloaded) that you didn't know was statically linked in there, or something a dev used "just for testing" that never got removed.

In Linux?  Much easier- ldd (with a -v argument) does the trick there - in OSX you would use "otool -L". For instance, to get the full dependency tree for vi:

ldd -v /usr/bin/vi > vi-tree.out

This gives me a 465 line tree of libraries!  (on kali 2.0).  Without the tree listing, it's down to 65 unique libs, but that's still a solid bit of work to plow through to come to the answer of "Are all my libraries up to date?  Am I vulnerable to something I wasn't aware of?"  Tools like CVE Search can simplify this task, but there's still some plain old hard work involved!

Similarly, if you work in the mobile space, on android you might use ldd-arm or maybe ndk-depends.  What do you use to get a similar tree listing for iOS?

If you've found a better way to tackle this problem (on whatever OS) that I've overlooked, please - use our comment form and post some code!

Rob VandenBrink

5 comment(s)
ISC StormCast for Wednesday, December 23rd 2015


eweew<a href="">mashood</a>
dwqqqwqwq mashood
[ |]
What's this all about ..?
password reveal .
<a hreaf="">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission

Diary Archives