Exploiting UMA, FreeBSD's kernel memory allocator

Kernel development, writing drivers, coding, and questions regarding FreeBSD internals.

Exploiting UMA, FreeBSD's kernel memory allocator

Postby SirDice » 12 Jun 2009, 14:40

The latest Phrack magazine had an interesting article. Read some of the article but most of it is somewhat beyond me :e

But I did want to share it as it directly effects our favorite OS.

The latest development version (8.0-CURRENT at the time of this writing) of FreeBSD has introduced stack-smashing detection and protection for the kernel by utilizing the incorporation of SSP in GCC [1, 2]. This creates an increased interest in exploring the FreeBSD kernel heap implementation, or zone allocator to be more precise, from a security perspective since it currently provides no exploitation mitigation mechanisms.

This paper presents my findings on exploiting FreeBSD's kernel memory allocator, or UMA - the universal memory allocator [3, 4], on the IA-32 platform. While a certain amount of knowledge of the FreeBSD kernel's internals and IA-32 assembly would be useful in following the paper, they are not strictly required. All presented details and supporting code have been tested on FreeBSD 7.0, 7.1, 7.2 and 8.0-CURRENT from 20090511, but since 7.2 is the latest stable version all code excerpts have been taken from it.


Read more here: http://www.phrack.org/issues.html?issue=66&id=8#article
Senior UNIX Engineer at Unix Support Nederland
Experience is something you don't get until just after you need it.
User avatar
SirDice
Old Fart
 
Posts: 16166
Joined: 17 Nov 2008, 16:50
Location: Rotterdam, Netherlands

phrack article about uma & greek free/open source conference

Postby keramida@ » 12 Jun 2009, 23:18

SirDice wrote:The latest Phrack magazine had an interesting article. Read some of the article but most of it is somewhat beyond me :e

Read more here: http://www.phrack.org/issues.html?issue=66&id=8#article


The article by Patroklos is indeed quite interesting. It does not describe a security bug, in the sense of a "local root exploit" (since most of the kernel module code shown in the article requires local root privileges to be loaded into a running kernel). But it does have many good parts:

  • It includes a description of the internals of uma(9). Most of the stuff described can also be gleemed from the kernel source code, but it is wonderful to see something that pieces together some of the internals.
  • The ASCII diagram of the way various uma(9) data structures relate to each other is awesome. It is one of the best parts of the article, IMO. I've spent some time reading uma code for a project of my own, and the data-structure diagram of Partoklos is one of the best I've seen so far. I'm sure it will help a lot to have this picture in mind when one is reading the code of uma.
  • There is no "exploit" code that can give root privileges to someone who doesn't already have kldload privileges, but the article takes a very educational step by step approach to the whole process. This is very nice, as it clearly illustrates by example how one can dive into the guts of a complex and large program, like the kernel, and make it do something quite unexpected.


Patroklos is going to speak at a Greek free & open source conference next week. If you are a Greek FreeBSD user, and you are going to be near Athens the next few days, it may be worth joining us at the conference:

http://conf.ellak.gr/2009/
User avatar
keramida@
Junior Member
 
Posts: 21
Joined: 20 Feb 2008, 22:44
Location: Patras, Greece

Postby SirDice » 15 Jun 2009, 18:05

As far as I understood it that kernel module was/is only used to make it easy to explore/exploit the basic structure. I am assuming an attacker armed with this kind of intimate knowledge of the UMA structure would be able to use that information in a heap overflow. This could be used (or should I say abused?) exploiting bugs in the base OS or even third party userland tools. Especially since the other attack vector is more or less taken care of (stack smashing/SSP) with 8-current.

So the front door now has deadbolts (stack/SSP) but you could still get bitten in the a$$ by someone talking the backdoor (heap) :e
Senior UNIX Engineer at Unix Support Nederland
Experience is something you don't get until just after you need it.
User avatar
SirDice
Old Fart
 
Posts: 16166
Joined: 17 Nov 2008, 16:50
Location: Rotterdam, Netherlands


Return to FreeBSD Development

Who is online

Users browsing this forum: No registered users and 0 guests