The Art of Exploiting UAF by Ret2bpf in Android Kernel

Conference:  BlackHat USA 2021



The presentation discusses an exploit that manipulates kernel heap layout in Android devices and the use of behavioral detection to identify suspicious activity.
  • The exploit relies on kernel heap sprays to control use after freeze by manipulating kernel heap layout
  • Behavioral detection, such as monitoring kernel calls and parameters, can identify suspicious activity
  • Garbage calls may be used to disguise required actions but could affect timing and reliability
  • Kernel updates through the Generic Kernel Image Project result in better protection for Android users
The exploit launches threads to perform memory manipulation work, which can be identified through behavioral detection by monitoring the number of event fd calls and unusual behavior such as closing every second event fd handle.


In early 2021, an external researcher reported to Google three lines of code indicating the xt_qtaguid kernel module, used for monitoring network socket status, had a Use-After-Free vulnerability (CVE-2021-0399) for 10 years. Unfortunately, the researcher did not provide any additional information or a PoC and stated the vulnerability was not exploitable on some Android devices due to the presence of CONFIG_ARM64_UAO. Thus, the Google Android Security team decided to investigate the likelihood of exploitation of this vulnerability.We will discuss and analyze the history of known vulnerabilities in the module xt_qtaguid along with the reported vulnerability. Besides, we will present several ways of exploiting the kernel by the bug. Particularly, we will articulate how to circumvent CONFIG_ARM64_UAO using the ret2bpf technique and show a video demo on pwning Mi9 device to prove that the reported vulnerability could allow an attacker to conduct local privilege escalation on the latest version of Android Pie with modern kernel protections enabled.Furthermore, we will talk about additional mitigations present in current Android versions that would block the exploitation described here, what Google knows about this vulnerability, and introduce how Google detects Android exploit samples statically and dynamically including with eBPF.