Specialists from the Technical University of Graets (Austria) have unveiled a new attack on the cross-cache of the Linux kernel, named as SlubStics. This attack leverages a limited vulnerability of the heap to enable arbitrary reading and writing of memory, giving attackers the ability to elevate privileges or break out of containers.
The attack was successfully tested on versions of the Linux 5.9 and 6.2 kernel, demonstrating the method’s versatility. In the experiments, 9 existing vulnerabilities were exploited on both 32-bit and 64-bit systems.
Slubstick proved its efficacy even against modern core protections like Supervisor Mode Execution Prevention (SMEP), Supervisor Mode Access Prevention, and Kernel Address Layout Randomization (Kaslr).
The full details of the attacks will be presented at the USENIX SECURITY SYMPOSIUM scheduled for the end of August. Researchers will demonstrate privilege escalation and container escape on the latest Linux versions with security mechanisms enabled.
The Linux kernel manages memory by allocating and freeing memory blocks (SLABS) for various data structures. Vulnerabilities in this memory management process can lead to cross-cache attacks, which are successful in about 40% of cases and often result in system crashes.
Slubstick exploits heap vulnerabilities like Double-Free, USE-After-Free, or out-of-bounds writes to manipulate the memory release process. The attack then uses a synchronization side channel to predict and control the reuse of memory, increasing the success rate of a cross-cache attack to 99%.
The conversion of a heap vulnerability into the ability to read and write memory occurs in three stages:
- Releasing specific memory blocks and waiting for their reuse by the kernel;
- Re-releasing blocks in a controlled manner so they are used for critical data structures like page tables;
- Modifying page table entries to gain the ability to read and write data in any memory region.
Like most side-channel attacks, Slubstick requires local access to the target machine with code execution capabilities. Additionally, the attack necessitates the presence of a heap vulnerability in the Linux kernel to exploit access to memory.