A newly discovered technique for exploiting flaws in the Linux kernel could allow bad actors to bypass advanced protections and gain full control over targeted systems via a cross-cache attack.

The novel exploitation technique, called SLUBStick, has a 99% success rate in elevating a limited heap vulnerability to an arbitrary memory read-and-write primitive, which allows attackers to elevate privileges and escape container environments, according to the researchers at Graz University of Technology in Australia.

SLUBStick significantly raises the threat level to the Linux kernel, which has seen an increase in the number of vulnerabilities over the past several years, the researchers wrote in a paper that will be presented at the Usenix Security Symposium, which starts August 14 in Philadelphia.

Despite the jump in kernel flaws, “most have limited capabilities, such as corrupting a few bytes in restricted allocator caches,” they wrote. “To elevate their capabilities, security researchers have proposed software cross-cache attacks, exploiting the memory reuse of the kernel allocator. However, such cross-cache attacks are impractical due to their low success rate of only 40%, with failure scenarios often resulting in a system crash.”

SLUBStick changes the calculation, with the research demonstrating the attack on recent Linux kernel versions 5.9 and 6.2. The demonstrations were run using a synthetic vulnerability as well as nine existing CVEs and on Linux kernels with the most advanced defenses enabled, including Supervisor Mode Access Prevention (SMAP), Supervisor Mode Execution Prevention (SMEP), and Kernel Address Space Layout Randomization (KASLR).

Attacking the ‘Slabs’

A particular security strategy is enforcing coarse-grained heap separation, which puts objects in distinct allocator caches that maintain “slabs” – blocks of adjacent pages – and separate objects that are critical to security from objects that are frequently used. This protects those frequently-used caches from being directly exploited to manipulate security objects, like credentials, the researchers wrote.

Security researchers in the past have shown various cross-cache attacks used by several kernel exploits, including software cross-cache that exploit the memory reuse of the kernel allocator by triggering a heap vulnerability to get and hot onto a write capability. The bad actors then free all memory slots to the slab page, triggering the allocation of new slab pages to reclaim the previously freed and recycled slab pages.

The researchers noted that dedicated allocator caches can be reliably exploited for cross-cache attacks. However, generic caches can’t. That’s where the 40% success rate and the system crashes come in. SLUBStick changes that, according to the researchers.

“At its core, SLUBStick exploits timing side-channel leakage of the kernel’s allocator to reliably trigger the recycling and reclaiming process for a specific memory target,” they wrote. “Exploiting this side-channel leakage significantly enhances the success rate of software cross-cache attacks.”

Multi-Stage Exploit

SLUBStick operates in several stages, exploiting code patterns that are used in the Linux kernel to manipulate page tables, which gives the attacker complete control over the system memory. In the first stage, SLUBStick exploits a heap vulnerability to get a memory write primitive (MWP), giving the bad actor the ability to write at a time of their choosing. The primate refers to the memory of a freed object. The technique triggers a recycling process of the slab’s chunk of memory by deallocating all of the slab’s objects. The memory chunk is returned to the allocator for future use.

The next stage includes SLUBStick allocating page tables to reclaim the recycled memory chunk for a page table to translate a userspace address, with the table entries referring to such items as user-accessible pages and the storing of crucial information, such as page frame numbers and access permissions.

“In the third stage, SLUBStick triggers the MWP to overwrite the referenced memory of the page table,” the researchers wrote. “This manipulation allows an adversary to change the page frame number and permission bits, granting access to any physical page and adjusting user access permissions. As a result, the virtual address now refers to the selected page with permission to modify it from userspace.”

For example, referring to kernel code enables the adversary to change the kernel’s behavior. Also, the attacker can reference data of privileged files such as etc/passwd, modifying it to bypass authentication checks. In addition, because SLUBStick doesn’t violate the kernel’s control flow or existing kernel defenses, these defenses can’t mitigate the threat.

A Ripple Effect

A danger of SLUBStick is that its capabilities can increase the effectiveness of known Linux kernel exploit techniques, with the researchers pointing to DirtyCred as an example. They found that using SLUBStick significantly increases the success rate for DirtyCred, an exploit technique detected two years ago.

“Moreover, SLUBStick is more versatile than DirtyCred as it does not rely on an invalid free on a credential object. Instead, an invalid free operation on any object is sufficient,” they wrote.