Next, a way to call
strncpy() needs to be found. If the program actually calls strncpy() at some other point,
the address of the strncpy() function can be substituted for the address of the vulnerable
strcpy() function. If the program contains no other calls to strncpy(), then things get
complicated. For statically linked programs, the entire strncpy() function would need to
be inserted into the binary requiring significant changes to the file that may not be possible
to accomplish. For dynamically linked binaries, the program??™s import table would
need to be edited so that the loader performs the proper symbol resolution to link in the
strncpy() function in the future. Manipulating a program??™s import table is another task
that requires extremely detailed knowledge of the executable file??™s format, making this a
difficult task at best.
Binary Mutation
As discussed, it may be a difficult task to develop a binary patch that completely fixes an
exploitable condition without access to source code or significant vendor support. One
technique for restricting access to vulnerable applications while awaiting a vendorsupplied
patch was port knocking. A drawback to port knocking is that a malicious user
who knows the knock sequence can still exploit the vulnerable application.
Pages:
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860