The Art of Exploiting UAF by Ret2bpf in Android Kernel

Presented at Black Hat Europe 2021, Nov. 10, 2021, 11:20 a.m. (40 minutes)

In early 2021, an external researcher reported to Google three lines of code indicating the xt_qtaguid kernel module, used for monitoring network socket status, had a Use-After-Free vulnerability (CVE-2021-0399) for 10 years. Unfortunately, the researcher did not provide any additional information or a PoC and stated the vulnerability was not exploitable on some Android devices due to the presence of CONFIG_ARM64_UAO. Thus, the Google Android Security team decided to investigate the likelihood of exploitation of this vulnerability.

We will discuss and analyze the history of known vulnerabilities in the module xt_qtaguid along with the reported vulnerability. Besides, we will present several ways of exploiting the kernel by the bug. Particularly, we will articulate how to circumvent CONFIG_ARM64_UAO using the ret2bpf technique and show a video demo on pwning Mi9 device to prove that the reported vulnerability could allow an attacker to conduct local privilege escalation on the latest version of Android Pie with modern kernel protections enabled.

Furthermore, we will talk about additional mitigations present in current Android versions that would block the exploitation described here, what Google knows about this vulnerability, and introduce how Google detects Android exploit samples statically and dynamically including with eBPF.


Presenters:

  • Richard Neal - Staff Security Engineer, Google
    Richard Neal has been a lead on the Android Malware Research team at Google for the last 4 years, managing a group of security and software engineers working to solve problems around Android malware, and trying to do as much technical work as possible. He has 22 years of professional experience in computer security, starting in development of secure systems and then moving into vulnerability and malware analysis, as reverse engineering is fun.
  • Xingyu Jin - Security Engineer, Google
    Xingyu Jin has been a security engineer on the Google Android Security team, working on device exploits and code deobfuscation groups. He has more than 2 years professional experience in computer security, focusing on Android kernel exploit analysis & detection, kernel 0day hunting, advanced reverse engineering, Android app security and APT hunting. He is also currently a member of the Nu1L CTF team and an organizer of Google CTF, as CTF is fun (sometimes).

Links:

Similar Presentations: