Go Beyond

Written by Teran McKinney
/ About Me / Half-time Remote DevOps/Systems Engineer for $40,000 /

argv modification for no fun and no profit

Playing around in C recently writing an incredibly stupid web server, my mind wandered around process names, forking, and threading.

Especially process names. I had recalled that you can modify argv. So, I tested it.

In FreeBSD, it doesn't make any change on ps output. However, FreeBSD does have a setproctitle() call that works. My output on FreeBSD was less interesting and more difficult (due to lack of mounting procfs, which I'm not even sure how well it works) in this regard, so I went to Linux.

Under Linux, /proc is amazing. I don't know whether the system call or procfs setup is better, but /proc is handy for quick scripts, especially for lsof alternatives if you don't have lsof for some awful reason.

Processes are kept under /proc/pid/, and there's a cmdline, environ, and other "files".

You may be wondering, why is he writing about changing process titles? What's the big deal?

With terminals, you clear them with codes. You can backspace and rewrite. You can change what the user sees if they open a file. What if you could use your process name as an "attack" vector? Say, you put in the clear screen sequence and wrote out a different ps line? Or you backspaced and said the process was owned by root and not as eliteh4x0r?

There's some huge difficulties. Like, maybe they have a wide terminal and you wrote one that was 80 characters wide. Fishy!

I was able to get the terminal cleared with what I set in argv[0], by cating /proc/pid/cmdline. You can run clear | hexdump -C and see what you need to write to clear the screen. Or for a less invasive maneuver, just lookup the ASCII code for backspace, write it a few times, then rewrite something.

With an "interesting" process in hand, I tried to find something that would display my raw data.

ps.... nope.

pstree.... nope.

lsof... nope.

I also tried doing tail -f on a file which was a special ASCII sequence. Nothing odd in ps, even then.

And maybe a couple others. Either way, they seemed to sanitize the process name properly. Good for them!

I haven't seen this mentioned anywhere else, but you should consider process names as potentially malicious, and treat them with respect. This also goes for filenames, especially executable filenames. You could probably have one that "changes" names by embedding backspace characters. Some filesystems may support filenames with any ASCII character other than NULL. ls seems to be sanitized, as does stat.

So, no fun, no profit. But, I think someone probably missed something, somewhere, in this regard. Keep in mind that some of these may also let UTF-8 through. Might be able to RTL UTF-8 and rewrite the line. I haven't tested that.

As for the potential applications, keeping backdoors stealthy or using them for social engineering come to mind. On the real extreme, perhaps there's a vulnerable terminal emulator that you can control with the sequence written out from the process or filename. Easier in theory than in practice.

Share on Voat.