logo
allArticlesConferencesPresentations

TiYunZong: An Exploit Chain to Remotely Root Modern Android Devices - Pwn Android Phones from 2015 to 2020

Conference:  BlackHat USA 2020

2020-08-06

Summary

The presentation discusses the exploit chain used to remotely compromise smartphones and the difficulty of targeting Pixel devices.
  • Smartphone remote attacks can be divided into two categories: those launched through the internet and those launched through adjacent networks
  • The exploit chain used to remotely compromise smartphones is a one-click internet deployable attack
  • Pixel devices are a tough target due to their advanced patches and vulnerability mitigations
  • The presentation includes an anecdote about the speaker finding a Pixel XL with a single vulnerability
In 2016, the speaker found a Pixel XL with a single vulnerability, which was similar to the exploit chain used in 2015 to get RCE in Chrome render process and then attend this RCE into a USS vulnerability. By exploiting the V8 bug again in a review, Chrome samples could be bypassed easily. This thunderbolts escaping method doesn't work anymore because WebView is sandbox now.

Abstract

As more and more mitigations have been introduced into Android, modern Android devices become much more difficult to be rooted, in particular, remotely rooted. This is especially true for Pixel Devices as they always have the latest updates and mitigations. In this presentation, we will explain why Pixel devices are difficult targets and will give an attack surface analysis of remotely compromising Android. Furthermore, we will introduce an exploit chain, named TiYunZong, which can be leveraged to remotely root a wide range of Qualcomm-based Android devices including Pixel Devices. The exploit chain includes three new bugs, which are CVE-2019-5870, CVE-2019-5877, CVE-2019-10567. We will also present an effective and stable approach to chain these three vulnerabilities for exploitation without any ROP, despite the fact that ROP is the most common technique to exploit complicated vulnerabilities. The exploit chain is the first reported one-click remote root exploit chain on Pixel devices and won the highest reward for a single exploit chain across all Google VRP programs.
Materials:
Slides
Paper
Tags:

Post a comment

Related work

Typhoon Mangkhut: One-click Remote Universal Root Formed with Two Vulnerabilities

Conference:  BlackHat USA 2021
Authors:
2021-08-04

Pwning "the toughest target": the exploit chain of winning the largest bug bounty in the history of ASR program

Conference:  Defcon 26
Authors:
2018-08-01

Shield with Hole: New Security Mitigation Helps Us Escape Chrome Sandbox to Exfiltrate User Privacy

Conference:  BlackHat EU 2020
Authors:
2020-12-09

Monitoring Surveillance Vendors: A Deep Dive into In-the-Wild Android Full Chains in 2021

Conference:  Black Hat USA 2022
Authors:
2022-08-10

Two Bugs With One PoC: Rooting Pixel 6 From Android 12 to Android 13

Conference:  Black Hat Asia 2023
Authors: Yong Wang
2023-05-11

Qualcomm WiFi: Infinity War

Conference:  BlackHat USA 2021
Authors:
2021-08-05