Exploiting UMA, FreeBSD's kernel memory allocator

SirDice

Administrator
Staff member
Administrator
Moderator
The latest Phrack magazine had an interesting article. Read some of the article but most of it is somewhat beyond me :e

But I did want to share it as it directly effects our favorite OS.

The latest development version (8.0-CURRENT at the time of this writing) of FreeBSD has introduced stack-smashing detection and protection for the kernel by utilizing the incorporation of SSP in GCC [1, 2]. This creates an increased interest in exploring the FreeBSD kernel heap implementation, or zone allocator to be more precise, from a security perspective since it currently provides no exploitation mitigation mechanisms.

This paper presents my findings on exploiting FreeBSD's kernel memory allocator, or UMA - the universal memory allocator [3, 4], on the IA-32 platform. While a certain amount of knowledge of the FreeBSD kernel's internals and IA-32 assembly would be useful in following the paper, they are not strictly required. All presented details and supporting code have been tested on FreeBSD 7.0, 7.1, 7.2 and 8.0-CURRENT from 20090511, but since 7.2 is the latest stable version all code excerpts have been taken from it.

Read more here: http://www.phrack.org/issues.html?issue=66&id=8#article
 
phrack article about uma & greek free/open source conference

SirDice said:
The latest Phrack magazine had an interesting article. Read some of the article but most of it is somewhat beyond me :e

Read more here: http://www.phrack.org/issues.html?issue=66&id=8#article

The article by Patroklos is indeed quite interesting. It does not describe a security bug, in the sense of a "local root exploit" (since most of the kernel module code shown in the article requires local root privileges to be loaded into a running kernel). But it does have many good parts:

  • It includes a description of the internals of uma(9). Most of the stuff described can also be gleemed from the kernel source code, but it is wonderful to see something that pieces together some of the internals.
  • The ASCII diagram of the way various uma(9) data structures relate to each other is awesome. It is one of the best parts of the article, IMO. I've spent some time reading uma code for a project of my own, and the data-structure diagram of Partoklos is one of the best I've seen so far. I'm sure it will help a lot to have this picture in mind when one is reading the code of uma.
  • There is no "exploit" code that can give root privileges to someone who doesn't already have kldload privileges, but the article takes a very educational step by step approach to the whole process. This is very nice, as it clearly illustrates by example how one can dive into the guts of a complex and large program, like the kernel, and make it do something quite unexpected.

Patroklos is going to speak at a Greek free & open source conference next week. If you are a Greek FreeBSD user, and you are going to be near Athens the next few days, it may be worth joining us at the conference:

http://conf.ellak.gr/2009/
 
As far as I understood it that kernel module was/is only used to make it easy to explore/exploit the basic structure. I am assuming an attacker armed with this kind of intimate knowledge of the UMA structure would be able to use that information in a heap overflow. This could be used (or should I say abused?) exploiting bugs in the base OS or even third party userland tools. Especially since the other attack vector is more or less taken care of (stack smashing/SSP) with 8-current.

So the front door now has deadbolts (stack/SSP) but you could still get bitten in the a$$ by someone talking the backdoor (heap) :e
 
Back
Top