A newly identified cross-cache attack on the Linux Kernel, named SLUBStick, boasts a 99% success rate in transforming a limited heap vulnerability into an arbitrary memory read-and-write capability. This capability allows attackers to escalate privileges or escape containers.
The attack was discovered by a team of researchers from the Graz University of Technology, who demonstrated it on Linux kernel versions 5.9 and 6.2 (latest) using nine existing CVEs in both 32-bit and 64-bit systems, highlighting its high versatility.
Moreover, the attack bypassed all modern kernel defenses, including Supervisor Mode Execution Prevention (SMEP), Supervisor Mode Access Prevention (SMAP), and Kernel Address Space Layout Randomization (KASLR).
The details of SLUBStick will be presented at the upcoming Usenix Security Symposium conference later this month, where researchers will demonstrate privilege escalation and container escape on the latest Linux systems with state-of-the-art defenses enabled.
Meanwhile, the published technical paper provides comprehensive details on the attack and potential exploitation scenarios.
SLUBStick details
The Linux kernel manages memory efficiently and securely by allocating and de-allocating memory chunks known as “slabs” for various data structures. However, flaws in this memory management process can lead to cross-cache attacks, where attackers corrupt or manipulate data structures. These attacks are typically effective around 40% of the time and often result in system crashes.
SLUBStick leverages a heap vulnerability, such as double-free, use-after-free, or out-of-bounds write, to disrupt the memory allocation process. It then utilizes a timing side channel to precisely determine the moments of memory chunk allocation and deallocation, enabling the attacker to predict and control memory reuse.
CVEs successfully used in the researchers’ experiments
Source: stefangast.eu
By using this timing information, SLUBStick increases the success rate of cross-cache exploitation to 99%, making it highly effective.
Measured success rates
Source: stefangast.eu
The conversion of a heap flaw into arbitrary memory read-and-write capabilities involves three steps:
- Free specific memory chunks and wait for the kernel to reuse them.
- Reallocate these chunks in a controlled manner, ensuring they are repurposed for critical data structures like page tables.
- Once these chunks are reclaimed, the attacker can overwrite the page table entries, gaining the ability to read and write any memory location.
SLUBStick overview
Source: stefangast.eu
Real-world impact
Like most side-channel attacks, SLUBStick requires local access to the target machine with the capability to execute code. Additionally, the presence of a heap vulnerability in the Linux kernel is necessary for the attack to gain read and write access to memory.
While these requirements may seem to limit the attack’s practicality, SLUBStick offers significant advantages to attackers. For those with code execution capabilities, SLUBStick can facilitate privilege escalation, bypass kernel defenses, enable container escapes, or be integrated into a more complex attack chain.
Privilege escalation can elevate privileges to root, granting unlimited access to the system, while container escapes allow attackers to break out of sandboxed environments and access the host system.
In the post-exploitation phase, SLUBStick can modify kernel structures or hooks to maintain persistence, making malware more challenging for defenders to detect.
Tampering with ‘/etc/passwd’ data
Source: stefangast.eu
For those interested in exploring SLUBStick further, the exploits used by the Graz University researchers are available in their GitHub repository.
Source: BleepingComputer, Bill Toulas
