In early 2021, an external researcher reported to Google three lines of code indicating the xt_qtaguid kernel module, used for monitoring network socket status, had a Use-After-Free vulnerability (CVE-2021-0399) for 10 years. Unfortunately, the researcher did not provide any additional information or a PoC and stated the vulnerability was not exploitable on some Android devices due to the presence of CONFIG_ARM64_UAO. Thus, the Google Android Security team decided to investigate the likelihood of exploitation of this vulnerability.
We will discuss and analyze the history of known vulnerabilities in the module xt_qtaguid along with the reported vulnerability. Besides, we will present several ways of exploiting the kernel by the bug. Particularly, we will articulate how to circumvent CONFIG_ARM64_UAO using the ret2bpf technique and show a video demo on pwning Mi9 device to prove that the reported vulnerability could allow an attacker to conduct local privilege escalation on the latest version of Android Pie with modern kernel protections enabled.
Furthermore, we will talk about additional mitigations present in current Android versions that would block the exploitation described here, what Google knows about this vulnerability, and introduce how Google detects Android exploit samples statically and dynamically including with eBPF.