Presented at Black Hat USA 2015
Aug. 6, 2015, 11 a.m.
In recent months, we focus on bug hunting to achieve root on android devices. Our kernel fuzzing, leaded by @wushi, generated a lot of crashes and among them, we found a kernel Use-After-Free bug which lies in all versions of Linux kernel and we successfully take advantage of it to root most android devices(version>=4.3) on the market nowadays, even for the 64-bit ones.
We leverage this bug to root whatever android devices(version>=4.3) of whatever brands. And also we are the first one in the world, as far as we are aware, rooting the 64-bit android device by taking advantage of a kernel memory corruption bug. The related kernel exploitation method is unique.
In this talk, we will explain the root cause of this UAF bug and also the methods used to exploit it. We will demonstrate how we can fill the kernel memory once occupied by the vulnerable freed kernel object with fully user-controlled data by spraying and finally achieved arbitrarily code execution in kernel mode to gain root. All our spraying methods and exploiting ways apply to the latest Android kernel, and we also bypass all the modern kernel mitigations on Android device like PXN and so on. Even introduced 64-bit address space fails to stop our rooting. And a very important thing is that the rooting is stable and reliable. Actually, we will present a common way to exploit android kernel Use-After-Free bug to gain root. We will also cover some new kernel security issue on the upcoming 64-bit android platform in the future.
- KEEN Team
Wen Xu is an intern researcher at KEEN Team (@K33nTeam) and his primary focus is on Linux(Android) kernel bug finding and Android root exploitation. He is also interested in other advanced exploitation techniques. Currently he is a full-time undergraduate major in Computer Science and also the member of Lab of Cryptology and Computer Security, SJTU. In the past year, he keeps working on android root exploitation at KEEN Team. He has certain experience on linux kernel bug analysis and he is also familiar with the modern skills and methods in rooting and linux kernel mitigation bypassing. Besides rooting, he is the pwn2own winner where he took part in the pwn2own Adobe Reader category exploitation work with KEEN Team this year.As a big fan of CTF games, Wen Xu is the vice-captain of team 0ops. The team is the winner of this year's CodeGate CTF Final, and is ranked as top 5 team in the world currently.