Pwning "the toughest target": the exploit chain of winning the largest bug bounty in the history of ASR program

The presentation discusses how a team was able to discover a remote exploit chain that could compromise Google's Pixel phone remotely, and how they were awarded the highest reward in the history of the Android Security Rewards program.

• The Pixel phone is protected by many layers of security and was not compromised in the 2017 Mobile Pwn2Own competition
• The team discovered a remote exploit chain that could compromise the Pixel phone remotely
• The exploit chain includes two bugs, CVE-2017-5116 and CVE-2017-14904
• CVE-2017-5116 is a V8 engine bug related with Webassembly and SharedArrayBuffer
• CVE-2017-14904 is a bug in Android's libgralloc module that is used to escape from the sandbox
• All details of vulnerabilities and mitigation bypassing techniques will be given in this talk

The Pixel phone was the only device that was not pwned in the 2017 Mobile Pwn2Own competition, but the team was able to discover a remote exploit chain that could compromise it remotely.

In recent years, Google has made many great efforts in exploit mitigation and attack surface reduction to strengthen the security of android system. It is becoming more and more difficult to remotely compromise Android phones especially Google’s Pixel phone. The Pixel phone is protected by many layers of security. It was the only device that was not pwned in the 2017 Mobile Pwn2Own competition. But our team discovered a remote exploit chain—the first of its kind since the Android Security Rewards (ASR) program expansion, which could compromise The Pixel phone remotely. The exploit chain was reported to Android security team directly. They took it seriously and patched it quickly. Because of the severity and our detailed report, we were awarded the highest reward ($112,500) in the history of the ASR program. In this talk we will detail how we used the exploit chain to inject arbitrary code into system_server process and get system user permissions. The exploit chain includes two bugs, CVE-2017-5116 and CVE-2017-14904. CVE-2017-5116 is a V8 engine bug related with Webassembly and SharedArrayBuffer. It is used to get remote code execution in sandboxed Chrome render process. CVE-2017-14904 is a bug in Android's libgralloc module that is used to escape from the sandbox. The way we used for sandbox escaping is very interesting, rarely talked about before. All details of vulnerabilities and mitigation bypassing techniques will be given in this talk.