home  wiki

Spelling: Procpatch

* What is procpatch? [1]
* Why use it? [2]
* How does it work? [3]
* Config format [4]

WHAT IS PROCPATCH?

It is a program that can help prevent exploitation of a process by
preventing the buggy code from executing.

WHY USE IT?

Well, if you have a system that cannot be upgraded easily, such as a
system that resides on read-only, or non-permanent media. Such a case
can be found in the router node setup Melbourne Wireless Linux Router
Node (mwlrn from now on...) where you put a cd into the system, and it
should work.

HOW DOES IT WORK?

By patching a memory address with a INT3 opcode (which, normally is
meant for debuggers to catch, but when there is no debugger/signal
handler for it, it kills the proccess.). This has one significant
drawback though. If you have a proccess that normally executes that,
it may not be able to prevent it.

For example, with wu-ftpd 2.6.0 (if the widely known problem for that
doesn't come to mind, its a format string in SITE EXEC), you can make
it crash in the beginning of the SITE EXEC code, which prevents the
exploitation from being possible, in that way.

On the other hand, a case where I don't think it would be possible,
is in the wu-ftpd 2.6.1 (again, ls ~{ or so from memory), where the
globbing code is run when you need something globbed. I have a
different idea for those programs, an LKM which redirects execve calls
to say, /patches/full/path/name then, /full/path/name...

(In short, don't use wu-ftpd. "Friends don't let friends run
wu-ftpd", "wu-ftpd: remote root in a ftp interface", "wu-ftpd:
providing remote root for the last 5-6 years").

Or for a more recent example where it can help prevent exploitation
is the Apache "Transfer-encoded: chunked" remote vulnerabilty. Since
the chunked encoding is rarely used (legimately, that is), you can
prevent exploitation by putting a int3 into the chunked encoding
handling code. (Which, I am lead to believe have been known to certain
people for 5-6 months... most likely for others for much longer.)

CONFIG FORMAT



Links:
------
[1] http://melbournewireless.org.au/#what_is_procpatch_
[2] http://melbournewireless.org.au/#why_use_it_
[3] http://melbournewireless.org.au/#how_does_it_work_
[4] http://melbournewireless.org.au/#config_format

[EditText] [Spelling] [Current] [Raw] [Code] [Diff] [Subscribe] [VersionHistory] [Revert] [Delete] [RecentChanges]

© Melbourne Wireless Inc. 2012
> home> about> events> files> members> maps> wiki board   > home   > categories   > search   > changes   > formatting   > extras> site map

Username
Password

 Remember me.
>

> forgotten password?
> register?
currently 0 users online
Node Statistics
building132
gathering192
interested515
operational242
testing216