Playing around in C recently writing an incredibly stupid web server, my mind wandered around process names, forking, and threading.
Especially process names. I had recalled that you can modify argv. So, I tested it.
In FreeBSD, it doesn't make any change on
ps output. However, FreeBSD does
setproctitle() call that works. My output on FreeBSD was less
interesting and more difficult (due to lack of mounting procfs, which I'm not
even sure how well it works) in this regard, so I went to Linux.
Under Linux, /proc is amazing. I don't know whether the system call or procfs setup is better, but /proc is handy for quick scripts, especially for lsof alternatives if you don't have lsof for some awful reason.
Processes are kept under /proc/pid/, and there's a cmdline, environ, and other "files".
You may be wondering, why is he writing about changing process titles? What's the big deal?
With terminals, you clear them with codes. You can backspace and rewrite. You
can change what the user sees if they open a file. What if you could use your
process name as an "attack" vector? Say, you put in the clear screen sequence
and wrote out a different
ps line? Or you backspaced and said the process was
owned by root and not as eliteh4x0r?
There's some huge difficulties. Like, maybe they have a wide terminal and you wrote one that was 80 characters wide. Fishy!
I was able to get the terminal cleared with what I set in argv, by
/proc/pid/cmdline. You can run
clear | hexdump -C and see what you need to
write to clear the screen. Or for a less invasive maneuver, just lookup the
ASCII code for backspace, write it a few times, then rewrite something.
With an "interesting" process in hand, I tried to find something that would display my raw data.
I also tried doing tail -f on a file which was a special ASCII sequence. Nothing odd in ps, even then.
And maybe a couple others. Either way, they seemed to sanitize the process name properly. Good for them!
I haven't seen this mentioned anywhere else, but you should consider process
names as potentially malicious, and treat them with respect. This also goes for
filenames, especially executable filenames. You could probably have one that
"changes" names by embedding backspace characters. Some filesystems may support
filenames with any ASCII character other than NULL.
ls seems to be sanitized,
So, no fun, no profit. But, I think someone probably missed something, somewhere, in this regard. Keep in mind that some of these may also let UTF-8 through. Might be able to RTL UTF-8 and rewrite the line. I haven't tested that.
As for the potential applications, keeping backdoors stealthy or using them for social engineering come to mind. On the real extreme, perhaps there's a vulnerable terminal emulator that you can control with the sequence written out from the process or filename. Easier in theory than in practice.