1. Introduction
A complex software product often contains packages, libraries, or modules made by third parties, and these third-party components may again contain components from other sources. This is known as the software supply chain. Software supply chains are increasingly complicated, and it can be hard to detect statically-linked copies of vulnerable third-party libraries in executables.
This blog post discusses how to use Dr. Binary to search statically linked vulnerable functions in executables. We built httpd with statically linked OpenSSL library 1.0.2a. This OpenSSL has many known vulnerabilities (e.g., CVE-2015-1788). They are statically linked so such vulnerability cannot be detected simply by version based detection approaches. The following paragraphs will illustrate how to use Dr. Binary to identify this statically linked vulnerable function.
2. Conduct the Scan
- Create an account on Dr. Binary
- Create vulnerability information
As discussed in last blog, users can create their only vulnerability database, or use the vulnerability database provided by Dr. Binary. In this example, we use the OpenSSL vulnerability database provided by Dr. Binary.
- Click projects on left aside menu and create a new project named httpd and upload the httpd binary file [1] to this project.
- Now create the scan, and in the popup windows, you can specify the file (httpd) and vulnerability (OpenSSL) you want to scan, click "OK".
Now you can see a status update. Dr. Binary take the binary and running the analysis. It may take several minutes to get the results.
3. Analyze the results
Figure 2 Analysis Results |
Figure 3 CVE-2015-1788 |
No comments:
Post a Comment