Cybersecurity researchers have make clear a unique Linux kernel exploitation methodology dubbed SLUBStick which may be exploited to lift a restricted heap vulnerability to an arbitrary reminiscence read-and-write primitive.
“First of all, it exploits a timing side-channel of the allocator to accomplish a cross-cache assault reliably,” a bunch of lecturers from the Graz College of Generation mentioned [PDF]. “Concretely, exploiting the side-channel leakage pushes the good fortune fee to above 99% for steadily used generic caches.”
Reminiscence protection vulnerabilities impacting the Linux kernel have restricted functions and are much more difficult to milk owing to safety features like Manager Mode Get right of entry to Prevention (SMAP), Kernel cope with house structure randomization (KASLR), and kernel keep watch over waft integrity (kCFI).
Whilst device cross-cache assaults had been devised so that you can counter kernel hardening methods like coarse-grained heap separation, research have proven that current strategies most effective have a good fortune fee of most effective 40%.
SLUBStick has been demonstrated on variations 5.19 and six.2 of the Linux kernel the usage of 9 safety flaws (e.g., double loose, use-after-free, and out-of-bounds write) came upon between 2021 and 2023, resulting in privilege escalation to root without a authentication and container escapes.
The core thought in the back of the method is to supply the power to switch kernel information and acquire an arbitrary reminiscence read-and- write primitive in a fashion that reliably surmounts current defences like KASLR.
Alternatively for this to paintings, the risk type assumes the presence of a heap vulnerability within the Linux kernel and that an unprivileged consumer has code execution functions.
“SLUBStick exploits more moderen techniques, together with v5.19 and v6.2, for all kinds of heap vulnerabilities,” the researchers mentioned.