Typhoon Mangkhut: One-click Remote Universal Root Formed with Two Vulnerabilities

Conference:  BlackHat USA 2021



The presentation discusses methods for achieving arbitrary read and write in cybersecurity through memory sharing and code logic combination.
  • Reducing time slice can increase the possibility to switch CPU in the risk window
  • Creating multiple padding straps to increase CPU node
  • Adjusting thread priority to influence surround time slice and with schedule time
  • Controlling the pointer to achieve after read and write
  • Using memory sharing to achieve arbitrary read and write
  • Combining code logic to achieve stable object rate in write
The presentation provides an example of using the H-map interface structure to achieve arbitrary read and write by saving a pointer to file private data and modifying the threading corresponding operations in the kernel.


The difficulty of remote root on Android devices has been increasing year by year. As more and more mitigations have been applied to both the user space and kernel space, building a remote root exploit chain becomes an extremely challenging task. Since the last time our team discovered the TiYunZong exploit chain to achieve one-click remote root on Pixel 3, we once again set off towards this goal targeting new Pixel devices with the latest updates.In this presentation, we will introduce Mangkhut, an exploit chain to remotely root modern Android devices with only two vulnerabilities: a Chrome vulnerability (CVE-2020-6537), which is used to achieve arbitrary code execution in the browser render process, and a Binder vulnerability (CVE-2020-0423), which can be leveraged to escalate from the highly sandboxed process to root. We will introduce the root cause of these vulnerabilities, and present technical details of the exploit chain. In terms of browser exploitation, we will describe how to convert a restricted type confusion bug in V8 to a more powerful one with out-of-bounds access primitive. For the sandbox escalation portion, we will describe the difficulties encountered, such as the extremely narrow race window to trigger the bug and the limitations for 32-bit compromised render process to launch the exploit targeting 64-bit kernel. We will present the approach to solve these issues and achieve arbitrary read and write by triggering the vulnerability only once. The exploit chain affects a wide range of devices running multiple versions of the Android system and was publicly acknowledged in Google's official vulnerability reward program annual report.