Rooting EVERY Android: From Extension to Exploitation

Presented at Black Hat Europe 2016, Nov. 3, 2016, 2:30 p.m. (60 minutes)

These years, Keen Lab of Tencent (formerly known as the Keen Team), worked on various Linux kernel bugs and applied some of them to Android devices for rooting. Rooting latest Android devices is more and more interesting and challenging in 2016. With SELinux being enforced more strictly, not many attack surfaces in kernel can be accessed by local user on Android. So, currently Linux Wireless-Extensions(WEXT) IOCTL is a really awesome attack surface in Android kernel. An Android application is able to invoke WEXT IOCTL interface via socket, and escalate privilege with WEXT-related kernel vulnerability. SELinux will not deny these kind of invoking.<br> <br> Normally, a Wireless-Extension on Android is implemented by Wi-Fi chipset vendor as a Linux kernel module. There are multiple chipsets available for Android devices, so different Android phone may have different implementation of WEXT. Broadcom Wi-Fi chipset is used on Google Nexus 6p, Huawei Mate 8, Samsung Galaxy and many other premium-end smartphones. Mediatek device always have its own Wi-Fi chipset. The rest of the devices, like Nexus 5x and Nexus 7, use Qualcomm chipset. We've found several different kernel bugs in every mentioned implementations of Linux WEXT on Android. With these vulnerabilities, we can gain root privilege on every Android device, no matter what Wi-Fi chipset it has.<br> <br> In this talk, we will not only introduce how to audit source code of WEXT on Android but also give three case studies of exploiting local privilege escalation vulnerabilities found in Broadcom, Qualcomm and Mediatek's implementation of WEXT.<br> <br> The first case study is exploiting a stack overflow vulnerability in Qualcomm WEXT, which requires building a special JOP chain to bypass PXN restriction in ARM64 Linux kernel. Only X19~X2n registers can be controlled when the overflow is triggered, so finding proper JOP gadgets to achieve kernel code execution is a challenge.<br> <br> The second case study is exploiting a data/BSS overflow vulnerability in Mediatek WEXT, which requires controlling PC by overwrite a function pointer in data section. The offset of function pointer is unknown, so another info leak vulnerability in WEXT will also be introduced here. This exploit doesn't need any hardcoded kernel symbol to gain root on most of Mediatek devices.<br> <br> The third case study is exploiting a use-after-free vulnerability in Broadcom WEXT; it requires two threads race into a kernel function in the same time to trigger a use-after-free issue due to race conditions. So we have to refill the freed object in very short time. Spraying kernel heap stably and quickly is a big challenge. Another interesting point of this case is that attacker (an untrusted application) need to ask 'system_server' process to trigger that UAF vulnerability in kernel via binder IPC.<br> <br> In summary, this presentation offers all exploitation techniques about rooting Android with mentioned WEXT vulnerabilities. Some ideas (e.g. the method of kernel heap spraying on Android) that have never been discussed before.


  • Di Shen - Security Researcher, Keen Lab,Tencent
    Di Shen (@returnsme) is a Security Researcher of Keen Lab (@keen_lab), focusing on Android kernel exploitation and vulnerability hunting since 2014. These years he has found several critical vulnerabilities in Android's kernel and TrustZone and successfully developed exploits for them. He is also one of the authors of CVE-2015-1805 exploit which is nominated for the Pwnie Awards.
  • Jiahong (James) Fang - Security Researcher, Keen Lab,Tencent
    James Fang (@idl3r) is a co-founder of Keen Lab (formerly known as Keen Team). His major interest is in Android/Linux kernel vulnerabilities and exploits. Working with a team of talents sharing the same interest, he has contributed multiple universal Android rooting tools to the community, among them are the CVE-2015-3636 (PingPong root) and CVE-2015-1805 exploit which were nominated for the Pwnie Awards (best privilege escalation bug category). James holds a bachelor's degree in information security from Shanghai Jiao Tong University. Before founding Keen Team, he was working for Microsoft.


Similar Presentations: