home  wiki

Spelling: Procpatch

* What is procpatch? [1]
* Why use it? [2]
* How does it work? [3]
* Config format [4]

WHAT IS PROCPATCH?

It is a program that can help prevent exploitation of a process by
preventing
the buggy code from executing.

WHY USE IT?

Well, if you have a system that cannot be upgraded easily, such as a
system
that resides on read-only, or non-permanent media. Such a case can be
found
in the router node setup Melbourne Wireless Linux Router Node [5]
(mwlrn from now on...) where you
put a cd into the system, and it should work.

HOW DOES IT WORK?

By patching a memory address with a INT3 opcode (which, normally is
meant for
debuggers to catch, but when there is no debugger/signal handler for
it, it
kills the proccess.). This has one significant drawback though. If
you have a
proccess that normally executes that, it may not be able to prevent
it.

For example, with wu-ftpd 2.6.0 (if the widely known problem for that
doesn't
come to mind, its a format string in SITE EXEC), you can make it
crash in the
beginning of the SITE EXEC code, which prevents the exploitation from
being
possible, in that way.

On the other hand, a case where I don't think it would be possible,
is in the
wu-ftpd 2.6.1 (again, ls ~{ or so from memory), where the globbing
code is run
when you need something globbed. I have a different idea for those
programs, an
LKM which redirects execve calls to say, /patches/full/path/name
then,
/full/path/name...

(In short, don't use wu-ftpd. "Friends don't let friends run
wu-ftpd",
"wu-ftpd: remote root in a ftp interface", "wu-ftpd: providing remote
root for
the last 5-6 years").

Or for a more recent example where it can help prevent exploitation
is the
Apache "Transfer-encoded: chunked" remote vulnerabilty. Since the
chunked
encoding is rarely used (legimately, that is), you can prevent
exploitation by
putting a int3 into the chunked encoding handling code. (Which, I am
lead to
believe have been known to certain people for 5-6 months... most
likely for
others for much longer.)

CONFIG FORMAT



Links:
------
[1] http://melbournewireless.org.au/#what_is_procpatch_
[2] http://melbournewireless.org.au/#why_use_it_
[3] http://melbournewireless.org.au/#how_does_it_work_
[4] http://melbournewireless.org.au/#config_format
[5] http://melbournewireless.org.au/?Mwlrn

[EditText] [Spelling] [Current] [Raw] [Code] [Diff] [Subscribe] [VersionHistory] [Revert] [Delete] [RecentChanges]

© Melbourne Wireless Inc. 2012
> home> about> events> files> members> maps> wiki board   > home   > categories   > search   > changes   > formatting   > extras> site map

Username
Password

 Remember me.
>

> forgotten password?
> register?
currently 0 users online
Node Statistics
building132
gathering193
interested515
operational233
testing214