A novel Linux Kernel cross-cache assault named SLUBStick has a 99% success in changing a restricted heap vulnerability into an arbitrary reminiscence read-and-write functionality, letting the researchers elevate privileges or escape containers.
The invention comes from a workforce of researchers from the Graz College of Know-how who demonstrated the assault on Linux kernel variations 5.9 and 6.2 (newest) utilizing 9 present CVEs in each 32-bit and 64-bit methods, indicating excessive versatility.
Moreover, the assault labored with all fashionable kernel defenses like Supervisor Mode Execution Prevention (SMEP), Supervisor Mode Entry Prevention (SMAP), and Kernel Tackle House Structure Randomization (KASLR) energetic.
SLUBStick can be offered intimately on the upcoming Usenix Safety Symposium convention later this month. The researchers will showcase privilege escalation and container escape within the newest Linux with state-of-the-art defenses enabled.
Within the meantime, the printed technical paper accommodates all the main points in regards to the assault and the potential exploitation eventualities.
SLUBStick particulars
A method the Linux kernel manages reminiscence effectively and securely is by allocating and de-allocating reminiscence chunks, known as “slabs,” for various kinds of knowledge buildings.
Flaws on this reminiscence administration course of could permit attackers to deprave or manipulate knowledge buildings, known as cross-cache assaults. Nonetheless, these are efficient roughly 40% of the time and sometimes result in system crashes eventually.
SLUBStick exploits a heap vulnerability, similar to a double-free, user-after-free, or out-of-bounds write, to govern the reminiscence allocation course of.
Subsequent, it makes use of a timing aspect channel to find out the precise second of reminiscence chunk allocation/deallocation, permitting the attacker to foretell and management reminiscence reuse.
Utilizing this timing info raises the success of the cross-change exploitation to 99%, making SLUBStick very sensible.
The conversion of the heap flaw into arbitrary reminiscence read-and-write primitive is finished in three steps:
- Free particular reminiscence chunks and await the kernel to reuse them.
- Reallocate these chunks in a managed method, making certain they get repurposed for vital knowledge buildings like web page tables.
- As soon as reclaimed, the attacker overwrites the web page desk entries, getting the flexibility to learn and write any reminiscence location.
Actual-world affect
As with most assaults involving a aspect channel, SLUBStick requires native entry on the goal machine with code execution capabilities. Moreover, the assault requires the presence of a heap vulnerability within the Linux kernel, which is able to then be used to realize learn and write entry to the reminiscence.
Whereas this will make the assault seem impractical, it does introduce some advantages to attackers.
Even for attackers with code execution capabilities, SLUBStick supplies the flexibility to attain privilege escalation, bypass kernel defenses, carry out container escapes, or use it as a part of a posh assault chain.
Privilege escalation can be utilized to raise privileges to root, permitting limitless operations, whereas container escape can be utilized to interrupt from sandboxed environments and entry the host system.
Moreover, within the post-exploitation section, SLUBStick may modify kernel buildings or hooks to keep up persistence, making malware tougher for defenders to detect.
Those that wish to dive deeper into SLUBStick and experiment with the exploits utilized by the Graz College researchers can discover them within the researcher’s GitHub repository.