Cybersecurity researchers have make clear a novel Linux kernel exploitation approach dubbed SLUBStick that might be exploited to raise a restricted heap vulnerability to an arbitrary reminiscence read-and-write primitive.
“Initially, it exploits a timing side-channel of the allocator to carry out a cross-cache assault reliably,” a bunch of teachers from the Graz College of Expertise said [PDF]. “Concretely, exploiting the side-channel leakage pushes the success price to above 99% for regularly used generic caches.”
Reminiscence security vulnerabilities impacting the Linux kernel have restricted capabilities and are much more difficult to use owing to safety features like Supervisor Mode Entry Prevention (SMAP), Kernel handle house structure randomization (KASLR), and kernel management stream integrity (kCFI).
Whereas software program cross-cache assaults have been devised as a technique to counter kernel hardening methods like coarse-grained heap separation, research have proven that current strategies solely have successful price of solely 40%.
SLUBStick has been demonstrated on variations 5.19 and 6.2 of the Linux kernel utilizing 9 safety flaws (e.g., double free, use-after-free, and out-of-bounds write) found between 2021 and 2023, resulting in privilege escalation to root with no authentication and container escapes.
The core concept behind the method is to supply the flexibility to switch kernel knowledge and acquire an arbitrary reminiscence read-and- write primitive in a fashion that reliably surmounts current defences like KASLR.
Nonetheless for this to work, the menace mannequin assumes the presence of a heap vulnerability within the Linux kernel and that an unprivileged consumer has code execution capabilities.
“SLUBStick exploits more moderen techniques, together with v5.19 and v6.2, for all kinds of heap vulnerabilities,” the researchers stated.