![\"Linux](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5HgscA6NcRSdqThvAd7WSnWKhJzqKi7tyd2e3oR12b3st44NcW8_Ot-uorerFP2EC2lHjnRdOcfe7ePnhdXdfY2WR5_7C1XsuVc-0_R9n9pDJ9GVwaTMwcsAAmLRW3goTGRIRK3rxesCqNJ1vvIsYdS7qi5Sg_-P8zxaFWEtS8Hr4hLGkCly6Kr34OHDF/s728-rw-e365/linux.png\" "\\"Linux")
Cybersecurity researchers have uncovered a new Linux kernel exploitation method known as SLUBStick that can be used to escalate a limited heap vulnerability to an arbitrary memory read-and-write primitive.
“Initially, it leverages a timing side-channel of the allocator to conduct a cross-cache attack reliably,” a team of researchers from the Graz University of Technology explained [PDF]. “Specifically, exploiting the side-channel leakage increases the success rate to over 99% for commonly used generic caches.”
Memory safety flaws affecting the Linux kernel have restricted capabilities and are more difficult to exploit due to security features like Supervisor Mode Access Prevention (SMAP), Kernel address space layout randomization (KASLR), and kernel control flow integrity (kCFI).
![\"Cybersecurity\"](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyG7-cl79CVar1FlDP4ZyyT1PhvqQrF6IKX-X85ajsVsJYEV1NGjsBhGasHkficD_wzElb8zoGPy-_Y2FcpsjflNO-EbnFy0PuxYaUdUOZCDdoNOOBKUzV5YbPTDn2MPzKJpkOuaU3h_eqx4HAHhVzWP2RwR-t6awuySRVVSW41LRdprq2k8EA5SchJLYi/s728-e100/ever-d.png\")
While software cross-cache attacks have been developed to bypass kernel hardening measures like coarse-grained heap separation, research shows that current methods have a success rate of only 40%.
SLUBStick has been demonstrated on versions 5.19 and 6.2 of the Linux kernel using nine security vulnerabilities (e.g., double free, use-after-free, and out-of-bounds write) identified between 2021 and 2023, resulting in privilege escalation to root without authentication and container escapes.
![\"\"](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8jw-IgUso8mh782X46fmJOpjss6zWGaO5mEBhvgs2g-VYr-bvA-E89b8ECjsqm6A0ibEYSMZr1aWgTQtGI_i1HWmECGFe13f-ShwxW7CI2bqbchkygMXtaVCQKrxXJLkeDN_HM0ayuFSPRVbuph5q8fGPCaR4ZCLOeOJjm8So1jk3TIjm9A9tbBS30BUl/s728-rw-e365/linux.png\")
The fundamental concept behind this approach is to provide the ability to alter kernel data and acquire an arbitrary memory read-and-write primitive in a way that effectively bypasses existing defenses like KASLR.
However, for this method to be successful, the threat model assumes the presence of a heap vulnerability in the Linux kernel and that an unprivileged user possesses code execution capabilities.
“SLUBStick targets newer systems, including v5.19 and v6.2, for a range of heap vulnerabilities,” the researchers noted.
