logo
allArticlesConferencesPresentations

The Art of Exploiting UAF by Ret2bpf in Android Kernel

Conference:  BlackHat USA 2021

2021-11-10

Summary

The presentation discusses an exploit that manipulates kernel heap layout in Android devices and the use of behavioral detection to identify suspicious activity.
  • The exploit relies on kernel heap sprays to control use after freeze by manipulating kernel heap layout
  • Behavioral detection, such as monitoring kernel calls and parameters, can identify suspicious activity
  • Garbage calls may be used to disguise required actions but could affect timing and reliability
  • Kernel updates through the Generic Kernel Image Project result in better protection for Android users
The exploit launches threads to perform memory manipulation work, which can be identified through behavioral detection by monitoring the number of event fd calls and unusual behavior such as closing every second event fd handle.

Abstract

In early 2021, an external researcher reported to Google three lines of code indicating the xt_qtaguid kernel module, used for monitoring network socket status, had a Use-After-Free vulnerability (CVE-2021-0399) for 10 years. Unfortunately, the researcher did not provide any additional information or a PoC and stated the vulnerability was not exploitable on some Android devices due to the presence of CONFIG_ARM64_UAO. Thus, the Google Android Security team decided to investigate the likelihood of exploitation of this vulnerability.We will discuss and analyze the history of known vulnerabilities in the module xt_qtaguid along with the reported vulnerability. Besides, we will present several ways of exploiting the kernel by the bug. Particularly, we will articulate how to circumvent CONFIG_ARM64_UAO using the ret2bpf technique and show a video demo on pwning Mi9 device to prove that the reported vulnerability could allow an attacker to conduct local privilege escalation on the latest version of Android Pie with modern kernel protections enabled.Furthermore, we will talk about additional mitigations present in current Android versions that would block the exploitation described here, what Google knows about this vulnerability, and introduce how Google detects Android exploit samples statically and dynamically including with eBPF.
Materials:
Tags:

Post a comment

Related work

Monitoring Surveillance Vendors: A Deep Dive into In-the-Wild Android Full Chains in 2021

Conference:  Black Hat USA 2022
Authors:
2022-08-10

Android Universal Root: Exploiting Mobile GPU / Command Queue Drivers

Conference:  Black Hat USA 2022
Authors:
2022-08-10

Cautious: A New Exploitation Method! No Pipe but as Nasty as Dirty Pipe

Conference:  Black Hat USA 2022
Authors:
2022-08-11

Two Bugs With One PoC: Rooting Pixel 6 From Android 12 to Android 13

Conference:  Black Hat Asia 2023
Authors: Yong Wang
2023-05-11

TiYunZong: An Exploit Chain to Remotely Root Modern Android Devices - Pwn Android Phones from 2015 to 2020

Conference:  BlackHat USA 2020
Authors:
2020-08-06

Typhoon Mangkhut: One-click Remote Universal Root Formed with Two Vulnerabilities

Conference:  BlackHat USA 2021
Authors:
2021-08-04