# Exploiting UMA, FreeBSD's kernel memory allocator



## SirDice (Jun 12, 2009)

The latest Phrack magazine had an interesting article. Read some of the article but most of it is somewhat beyond me :e

But I did want to share it as it directly effects our favorite OS.



> The latest development version (8.0-CURRENT at the time of this writing) of FreeBSD has introduced stack-smashing detection and protection for the kernel by utilizing the incorporation of SSP in GCC [1, 2]. This creates an increased interest in exploring the FreeBSD kernel heap implementation, or zone allocator to be more precise, from a security perspective since it currently provides no exploitation mitigation mechanisms.
> 
> This paper presents my findings on exploiting FreeBSD's kernel memory allocator, or UMA - the universal memory allocator [3, 4], on the IA-32 platform. While a certain amount of knowledge of the FreeBSD kernel's internals and IA-32 assembly would be useful in following the paper, they are not strictly required.  All presented details and supporting code have been tested on FreeBSD 7.0, 7.1, 7.2 and 8.0-CURRENT from 20090511, but since 7.2 is the latest stable version all code excerpts have been taken from it.



Read more here: http://www.phrack.org/issues.html?issue=66&id=8#article


----------



## keramida@ (Jun 13, 2009)

*phrack article about uma & greek free/open source conference*



			
				SirDice said:
			
		

> The latest Phrack magazine had an interesting article. Read some of the article but most of it is somewhat beyond me :e
> 
> Read more here: http://www.phrack.org/issues.html?issue=66&id=8#article



The article by Patroklos is indeed quite interesting.  It does not describe a _security bug_, in the sense of a "local root exploit" (since most of the kernel module code shown in the article requires local root privileges to be loaded into a running kernel).  But it does have many good parts:


 It includes a description of the internals of uma(9).  Most of the stuff described can also be gleemed from the kernel source code, but it is wonderful to see something that pieces together some of the internals.

 The ASCII diagram of the way various uma(9) data structures relate to each other is _awesome_.  It is one of the best parts of the article, IMO.  I've spent some time reading uma code for a project of my own, and the data-structure diagram of Partoklos is one of the best I've seen so far.  I'm sure it will help a lot to have this picture in mind when one is reading the code of uma. 

 There is no "exploit" code that can give root privileges to someone who doesn't already have kldload privileges, but the article takes a very educational step by step approach to the whole process.  This is very nice, as it clearly illustrates _by example_ how one can dive into the guts of a complex and large program, like the kernel, and make it do something quite unexpected.

Patroklos is going to speak at a Greek free & open source conference next week.  If you are a Greek FreeBSD user, and you are going to be near Athens the next few days, it may be worth joining us at the conference:

http://conf.ellak.gr/2009/


----------



## SirDice (Jun 15, 2009)

As far as I understood it that kernel module was/is only used to make it easy to explore/exploit the basic structure. I am assuming an attacker armed with this kind of intimate knowledge of the UMA structure would be able to use that information in a heap overflow. This could be used (or should I say abused?) exploiting bugs in the base OS or even third party userland tools. Especially since the other attack vector is more or less taken care of (stack smashing/SSP) with 8-current.

So the front door now has deadbolts (stack/SSP) but you could still get bitten in the a$$ by someone talking the backdoor (heap) :e


----------

