Researchers have revealed a novel Linux kernel exploitation technique, known as, which can elevate a previously restricted heap vulnerability to a fully exploitable arbitrary memory read-and-write primitive.
Initially, the exploit leverages a timing side-channel in the allocator, enabling a reliable cross-cache attack. “By capitalizing on side-channel vulnerabilities in generic caches, attack effectiveness reaches a remarkable 99% or higher, even with standard usage.”
Linux kernel reminiscence security vulnerabilities, characterized by restricted capabilities and heightened difficulty of exploitation due to safeguards such as Supervisor Mode Entry Prevention (SMEP), kernel address space layout randomization (KASLR), and kernel management movement integrity.
While software programs designed to exploit kernel vulnerabilities through cache attacks may have initially seemed effective in circumventing security measures such as coarse-grained heap partitioning, recent studies have demonstrated that existing countermeasures achieve a mere 40% success rate.
SLUBStick has successfully been demonstrated on variations 5.19 and 6.2 of the Linux kernel, exploiting nine security vulnerabilities (including double frees, use-after-frees, and out-of-bounds writes) identified between 2021 and 2023. The attacks resulted in privilege escalation to root without authentication, as well as container escapes.
The fundamental concept of this approach lies in providing the ability to dynamically swap kernel data and obtain a flexible read-write primitive, thereby successfully circumventing existing defenses such as Kernel Address Space Layout Randomization (KASLR).
Notwithstanding its reliance on a heap-based buffer overflow in the Linux kernel, the menace model requires the existence of an exploitable vulnerability and the ability for an unauthenticated user to execute arbitrary code.
Researchers have revealed that SLUBStick leverages more modern program versions, specifically those utilising v5.19 and v6.2, to target a wide range of heap vulnerabilities.
