home  wiki

Procpatch


What is procpatch?


It is a program that can help prevent exploitation of a process by preventing
the buggy code from executing.

Why use it?


Well, if you have a system that cannot be upgraded easily, such as a system
that resides on read-only, or non-permanent media. Such a case can be found
in the router node setup Melbourne Wireless Linux Router Node (mwlrn from now on...) where you
put a cd into the system, and it should work.

How does it work?


By patching a memory address with a INT3 opcode (which, normally is meant for
debuggers to catch, but when there is no debugger/signal handler for it, it
kills the proccess.). This has one significant drawback though. If you have a
proccess that normally executes that, it may not be able to prevent it.

For example, with wu-ftpd 2.6.0 (if the widely known problem for that doesn't
come to mind, its a format string in SITE EXEC), you can make it crash in the
beginning of the SITE EXEC code, which prevents the exploitation from being
possible, in that way.

On the other hand, a case where I don't think it would be possible, is in the
wu-ftpd 2.6.1 (again, ls ~{ or so from memory), where the globbing code is run
when you need something globbed. I have a different idea for those programs, an
LKM which redirects execve calls to say, /patches/full/path/name then,
/full/path/name...

(In short, don't use wu-ftpd. "Friends don't let friends run wu-ftpd",
"wu-ftpd: remote root in a ftp interface", "wu-ftpd: providing remote root for
the last 5-6 years").

Or for a more recent example where it can help prevent exploitation is the
Apache "Transfer-encoded: chunked" remote vulnerabilty. Since the chunked
encoding is rarely used (legimately, that is), you can prevent exploitation by
putting a int3 into the chunked encoding handling code. (Which, I am lead to
believe have been known to certain people for 5-6 months... most likely for
others for much longer.)

Config format


Version 3 (old) modified Mon, 26 Jul 2021 12:49:29 +0000 by graybeard
[EditText] [Spelling] [Current] [Raw] [Code] [Diff] [Subscribe] [VersionHistory] [Revert] [Delete] [RecentChanges]
> home> about> events> files> members> maps> wiki board   > home   > categories   > search   > changes   > formatting   > extras> site map

Username
Password

 Remember me.
>

> forgotten password?
> register?
currently 0 users online
Node Statistics
building132
gathering193
interested515
operational233
testing214