DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 20th March 2009
OldCoot OldCoot is offline
Real Name: Almon C. Turner
New User
 
Join Date: Jun 2008
Location: Mobile, Alabama USA
Posts: 8
Thanked 0 Times in 0 Posts
Default Vulnerability

I found this on an OSX site and, since OpenBSD is mentioned I thought it may be of interest here.

http://invisiblethingslab.com/resour..._cache_fun.pdf
Reply With Quote
  #2   (View Single Post)  
Old 20th March 2009
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,432
Thanked 214 Times in 189 Posts
Default

The PDF refers to (but does not cite) Loic Duflot's SMM abuse analysis from 2006. There was some discussion on misc@ at the time. This from Jonathan Thornburg nets out the consensus: (ref http://marc.info/?l=openbsd-misc&m=114658731227097&w=2)
Quote:
A brief perusal of [Duflot's] paper shows that it describes a way for the *superuser* to circumvent securelevel restrictions. This is interesting, but
(a) it describes an attack by a malicious *superuser*, and
(b) it describes an attack by a malicious person who *already* has an account on the machine under attack.
(a) in particular makes this of more academic than practical concern -- a malicious superuser has about 6.02e23 different ways to take over the system, so adding one more is of little interest. This "attack" is trivially preventable by not allowing malicious persons to become superuser in the first place, indeed by not giving them logins.
Duflot was scheduled to speak on SSM once again this week at CanSecWest, which ends today. Duflot has been harking on various security implications of the x86 SMM for some years.

My cursory interpretation -- I could be wrong -- is that the biggest area for concern, or at least awareness, for *nix users on this architecture is the use of XFree86 or X.Org, which exploit SMM. See xf86(4).

Last edited by jggimi; 20th March 2009 at 04:55 PM.
Reply With Quote
  #3   (View Single Post)  
Old 20th March 2009
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

This is an SMM related flaw, it isn't OpenBSD specific.. I read a paper recently documenting a use of the xf86(4) aperture driver to do malicious things.

People must realize that they only used OpenBSD as an example, it's due to the way Xorg was designed.. as a user land program, it needs a way of accessing special areas of physical memory.

This isn't isn't a problem if machdep.allowaperture is 0, like on a server... or if machdep.allowaperture > 0 and Xorg is running, /dev/xf86 can only be opened once.

As I said, this is an x86 architectural problem.. OpenBSD developers have been concerned about SMM for a very long time.

Don't run untrusted binaries.. and don't do so as root.
Reply With Quote
  #4   (View Single Post)  
Old 20th March 2009
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,432
Thanked 214 Times in 189 Posts
Default

I found an old interview with Duflot whic may be helpful, describing SMM and the X11-based weakness for *nix systems in more detail.

I did not recall the issue clearly, when I wrote above that X uses SMM. It doesn't. SMM uses legacy video RAM memory, and that is where the weakness lies. But I had read this interview 3 years ago, as I remembered the title:

http://www.securityfocus.com/columnists/402

BSDfan's Wiki reference has a link in the footnotes to an article describing a demonstration SMM-based rootkit shown at the Black Hat '08 conference. The key to such things is that OS's and their applications do not have access to SMM datablocks, and would be blind to code hidden therein.
Reply With Quote
  #5   (View Single Post)  
Old 20th March 2009
OldCoot OldCoot is offline
Real Name: Almon C. Turner
New User
 
Join Date: Jun 2008
Location: Mobile, Alabama USA
Posts: 8
Thanked 0 Times in 0 Posts
Default

I posted the link with academic interest in mind rather than a supposition of an actual concern about vulnerability. Involvement in the BSDs suggests at least a little technical expertise. I actually found it through a Mac OSX forum.
Reply With Quote
  #6   (View Single Post)  
Old 20th March 2009
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,432
Thanked 214 Times in 189 Posts
Default

Well, it *is* of academic interest.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
cannot port upgrade php5-posix, complains about vulnerability robklg FreeBSD Installation and Upgrading 5 15th July 2008 09:05 AM
Swfdec read-only file access vulnerability corey_james FreeBSD Ports and Packages 0 14th May 2008 11:31 PM
WARNING: Vulnerability database out of date, checking anyway mfaridi FreeBSD Security 9 8th May 2008 06:13 AM


All times are GMT. The time now is 04:20 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick