FreeBSD Security Advisory FreeBSD-SA-06:25.kmem

Dan Lukes dan at obluda.cz
Wed Dec 6 08:46:28 PST 2006 

Colin Percival napsal/wrote:
>> A user in the "operator" group can read the contents of kernel memory.
>> Such memory might contain sensitive information, such as portions of
>> the file cache or terminal buffers.  This information might be directly
>> useful, or it might be leveraged to obtain elevated privileges in some
>> way; for example, a terminal buffer might include a user-entered
>> password.
> 
> For what it's worth, there was a lot of debate about whether this deserved
> an advisory: Members of the operator group are allowed (by default, at least)
> to read raw disk devices, so being able to read kernel memory really isn't
> very much of a privilege escalation.  

	Even if the user with (unwanted) access memory has the read access to 
raw disk device we can't assume that all private data presend in memory 
are present on disk also. Especially when swap disabled. Paranoid 
application allocate non-swappable memory to store critical data also. 
There may be in-memory decrypted data (password supplied by user) that 
are never present on disk in raw form. Also, the PAM allow to configure 
the computer to authenticate users without passwords in master.passwd - 
but the correct and usable password still can be found in memory during 
authentication phase.

	Unless we can safelly assume that an user can't use the bug to acces 
data that isn't accesible via other interface, then we found new data 
channel. If we founded a new data channel where it should not be, then 
we found a point of possible data leakage. If data leak to someone who 
should not have acces to it, we found the security bug. There - someone 
has unwanted access to memory. It's security bug. The fact the user has 
the regular read-only access to raw disk device is irelevant unless all 
data avaiable in memory are avaiable on disk also.
	
> I'd be interested to hear opinions from the FreeBSD community about whether
> this sort of issue is one which anyone really cares about.

	Despite the fact that this bug don't create real security violation on 
any system under my supervision, I would like to know all informations 
that *may* affect security of a system. Including those you are not sure 
they really affect security or not.

	I'm administrator of system, I'm responsible for it's security, I will 
make final decision. I will ignore those information that doesn't claim 
security problem on my systems (but it still may claim security problem 
on other's system). Informations doesn't hurt. The lack of information 
may hurt.

						Dan

More information about the freebsd-security mailing list