### Index ###

!! What is procpatch?

It is a program that can help prevent exploitation of a process by preventing the buggy code from executing.

!! Why use it?

Well, if you have a system that cannot be upgraded easily, such as a system that resides on read-only, or non-permanent media. Such a case can be found in the router node setup Melbourne Wireless Linux Router Node (mwlrn from now on...) where you put a cd into the system, and it should work.

!! How does it work?

By patching a memory address with a INT3 opcode (which, normally is meant for debuggers to catch, but when there is no debugger/signal handler for it, it kills the proccess.). This has one significant drawback though. If you have a proccess that normally executes that, it may not be able to prevent it.

For example, with wu-ftpd 2.6.0 (if the widely known problem for that doesn't come to mind, its a format string in SITE EXEC), you can make it crash in the beginning of the SITE EXEC code, which prevents the exploitation from being possible, in that way.

On the other hand, a case where I don't think it would be possible, is in the wu-ftpd 2.6.1 (again, ls ~{ or so from memory), where the globbing code is run when you need something globbed. I have a different idea for those programs, an LKM which redirects execve calls to say, /patches/full/path/name then, /full/path/name...

(In short, don't use wu-ftpd. "Friends don't let friends run wu-ftpd", "wu-ftpd: remote root in a ftp interface", "wu-ftpd: providing remote root for the last 5-6 years").

Or for a more recent example where it can help prevent exploitation is the Apache "Transfer-encoded: chunked" remote vulnerabilty. Since the chunked encoding is rarely used (legimately, that is), you can prevent exploitation by putting a int3 into the chunked encoding handling code. (Which, I am lead to believe have been known to certain people for 5-6 months... most likely for others for much longer.)

!! Config format