A team of researchers from the Graz University of Technology in Austria has published a paper on SLUBStick, a new Linux kernel exploitation technique that can make heap vulnerabilities more dangerous.
The researchers noted that while the number of Linux kernel flaws has significantly increased in the past years, many issues have limited impact.
Software cross-cache attacks, which exploit the memory reuse of the kernel allocator, can increase the impact of a vulnerability, but the TU Graz researchers noted that such attacks are still impractical as they only have a success rate of 40% and they often result in a crash of the system.
The new SLUBStick technique can allow an attacker to elevate a limited heap vulnerability to an arbitrary memory read/write primitive, which, as the researchers demonstrated, can be leveraged for privilege escalation and container escapes, even with modern defenses enabled.
“Initially, it exploits a timing side channel of the allocator to reliably perform a cross-cache attack with better than 99% success rate on commonly used generic caches,” the researchers explained in their paper.
“SLUBStick then exploits code patterns prevalent in the Linux kernel to perform a cross-cache attack and turn a heap vulnerability into a page table manipulation, thereby granting the capability to read and write memory arbitrarily,” they added.
The researchers demonstrated their findings against versions 5.19 and 6.2 of the Linux kernel, and targeted nine known vulnerabilities — discovered between 2021 and 2023 — to show privilege escalation.
They have made available SLUBStick artifacts and code used to perform attacks. Videos showing the exploit in action have also been published.
The US cybersecurity agency CISA recently warned users and organizations about a couple of Linux kernel vulnerabilities exploited in the wild. The agency’s Known Exploited Vulnerabilities Catalog currently includes 14 Linux kernel flaws.
