Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,198
- Points
- 113
Scientists have found a way to bypass the protection of the Linux kernel with 99% efficiency.
Experts from the Technical University of Graz (Austria) presented a new attack on the Linux kernel cross-cache called SLUBStick, which allows you to turn a limited heap vulnerability into the ability to randomly read and write memory, which gives attackers the ability to increase privileges or go beyond containers.
The attack was tested on Linux kernel versions 5.9 and 6.2, which indicates the high versatility of the method. During the experiments, 9 existing vulnerabilities were exploited on both 32-bit and 64-bit systems.
Vulnerabilities used in the experiment
SLUBStick proved to be effective even with the most advanced kernel defenses – Supervisor Mode Execution Prevention (SMEP), Supervisor Mode Access Prevention (SMAP), and Kernel Address Space Layout Randomization (KASLR).
Details of the attack will be presented at the Usenix Security Symposium, which will be held in late August. Researchers will demonstrate privilege escalation and container exit on the latest version of Linux with security enabled.
Technical details of SLUBStick
The Linux kernel manages memory by allocating and freeing memory blocks (slabs) for various types of data structures. Vulnerabilities in the memory management process can allow attackers to distort or manipulate data structures, which is called a cross-cache attack. Usually, such attacks are successful in about 40% of cases and often lead to system failures.
SLUBStick exploits heap vulnerabilities, such as double-free, use - after - free, or out-of-bounds, to manipulate the memory allocation process. The attack then uses a side synchronization channel to determine the exact time when memory blocks are allocated and released, which allows the attacker to predict and control memory reuse.
Using this information, the probability of successful exploitation of a cross-cache attack increases to 99%, which makes SLUBStick very practical.
Attack success rates
The conversion of a heap vulnerability into the ability to read and write memory randomly takes place in three stages:
SLUBStick Review
Real impact on security
Like most side-channel attacks, SLUBStick requires local access to the target machine with the ability to execute code. In addition, the attack requires the presence of a heap vulnerability in the Linux kernel, which will be used to gain access to memory.
The attack has several advantages for attackers. Even for those who already have the ability to execute code, SLUBStick provides the ability to increase privileges, bypass kernel defenses, go beyond containers, or use it as part of a complex chain of attacks.
Privilege escalation can be used to gain root access, which allows you to perform any operations, and exiting the container allows you to break out of the isolated environment and gain access to the host system. In the post-operational phase, SLUBStick can modify kernel structures or hooks to maintain a constant presence, which makes it difficult to detect malware.
Changing the "/etc/passwd"data
For those who want to learn more about SLUBStick and experiment with exploiting vulnerabilities, the researchers published all the details in a technical report, and also posted the code in the GitHub repository.
Source
Experts from the Technical University of Graz (Austria) presented a new attack on the Linux kernel cross-cache called SLUBStick, which allows you to turn a limited heap vulnerability into the ability to randomly read and write memory, which gives attackers the ability to increase privileges or go beyond containers.
The attack was tested on Linux kernel versions 5.9 and 6.2, which indicates the high versatility of the method. During the experiments, 9 existing vulnerabilities were exploited on both 32-bit and 64-bit systems.
Vulnerabilities used in the experiment
SLUBStick proved to be effective even with the most advanced kernel defenses – Supervisor Mode Execution Prevention (SMEP), Supervisor Mode Access Prevention (SMAP), and Kernel Address Space Layout Randomization (KASLR).
Details of the attack will be presented at the Usenix Security Symposium, which will be held in late August. Researchers will demonstrate privilege escalation and container exit on the latest version of Linux with security enabled.
Technical details of SLUBStick
The Linux kernel manages memory by allocating and freeing memory blocks (slabs) for various types of data structures. Vulnerabilities in the memory management process can allow attackers to distort or manipulate data structures, which is called a cross-cache attack. Usually, such attacks are successful in about 40% of cases and often lead to system failures.
SLUBStick exploits heap vulnerabilities, such as double-free, use - after - free, or out-of-bounds, to manipulate the memory allocation process. The attack then uses a side synchronization channel to determine the exact time when memory blocks are allocated and released, which allows the attacker to predict and control memory reuse.
Using this information, the probability of successful exploitation of a cross-cache attack increases to 99%, which makes SLUBStick very practical.
Attack success rates
The conversion of a heap vulnerability into the ability to read and write memory randomly takes place in three stages:
- Freeing certain blocks of memory and waiting for them to be reused by the kernel;
- Re-allocating blocks in a controlled way so that they can be used for mission-critical data structures, such as page tables;
- After returning the blocks, the attacker overwrites the page table entries, gaining the ability to read and write data to any memory area.
SLUBStick Review
Real impact on security
Like most side-channel attacks, SLUBStick requires local access to the target machine with the ability to execute code. In addition, the attack requires the presence of a heap vulnerability in the Linux kernel, which will be used to gain access to memory.
The attack has several advantages for attackers. Even for those who already have the ability to execute code, SLUBStick provides the ability to increase privileges, bypass kernel defenses, go beyond containers, or use it as part of a complex chain of attacks.
Privilege escalation can be used to gain root access, which allows you to perform any operations, and exiting the container allows you to break out of the isolated environment and gain access to the host system. In the post-operational phase, SLUBStick can modify kernel structures or hooks to maintain a constant presence, which makes it difficult to detect malware.
Changing the "/etc/passwd"data
For those who want to learn more about SLUBStick and experiment with exploiting vulnerabilities, the researchers published all the details in a technical report, and also posted the code in the GitHub repository.
Source
