1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Exploiting UMA, FreeBSD's kernel memory allocator

Discussion in 'FreeBSD Development' started by SirDice, Jun 12, 2009.

  1. SirDice

    SirDice Moderator Staff Member Moderator

    Messages:
    17,630
    Thanks Received:
    2,386
    The latest Phrack magazine had an interesting article. Read some of the article but most of it is somewhat beyond me :e

    But I did want to share it as it directly effects our favorite OS.

    Read more here: http://www.phrack.org/issues.html?issue=66&id=8#article
     
  2. keramida@

    keramida@ New Member Developer

    Messages:
    21
    Thanks Received:
    6
    phrack article about uma & greek free/open source conference

    The article by Patroklos is indeed quite interesting. It does not describe a security bug, in the sense of a "local root exploit" (since most of the kernel module code shown in the article requires local root privileges to be loaded into a running kernel). But it does have many good parts:

    • It includes a description of the internals of uma(9). Most of the stuff described can also be gleemed from the kernel source code, but it is wonderful to see something that pieces together some of the internals.
    • The ASCII diagram of the way various uma(9) data structures relate to each other is awesome. It is one of the best parts of the article, IMO. I've spent some time reading uma code for a project of my own, and the data-structure diagram of Partoklos is one of the best I've seen so far. I'm sure it will help a lot to have this picture in mind when one is reading the code of uma.
    • There is no "exploit" code that can give root privileges to someone who doesn't already have kldload privileges, but the article takes a very educational step by step approach to the whole process. This is very nice, as it clearly illustrates by example how one can dive into the guts of a complex and large program, like the kernel, and make it do something quite unexpected.

    Patroklos is going to speak at a Greek free & open source conference next week. If you are a Greek FreeBSD user, and you are going to be near Athens the next few days, it may be worth joining us at the conference:

    http://conf.ellak.gr/2009/
     
  3. SirDice

    SirDice Moderator Staff Member Moderator

    Messages:
    17,630
    Thanks Received:
    2,386
    As far as I understood it that kernel module was/is only used to make it easy to explore/exploit the basic structure. I am assuming an attacker armed with this kind of intimate knowledge of the UMA structure would be able to use that information in a heap overflow. This could be used (or should I say abused?) exploiting bugs in the base OS or even third party userland tools. Especially since the other attack vector is more or less taken care of (stack smashing/SSP) with 8-current.

    So the front door now has deadbolts (stack/SSP) but you could still get bitten in the a$$ by someone talking the backdoor (heap) :e