InfoconDB

Presented at Black Hat USA 2020 Virtual, Aug. 6, 2020, 2:30 p.m. (40 minutes)

As more and more mitigations have been introduced into Android, modern Android devices become much more difficult to be rooted, in particular, remotely rooted. This is especially true for Pixel Devices as they always have the latest updates and mitigations. In this presentation, we will explain why Pixel devices are difficult targets and will give an attack surface analysis of remotely compromising Android. Furthermore, we will introduce an exploit chain, named TiYunZong, which can be leveraged to remotely root a wide range of Qualcomm-based Android devices including Pixel Devices. The exploit chain includes three new bugs, which are CVE-2019-5870, CVE-2019-5877, CVE-2019-10567. We will also present an effective and stable approach to chain these three vulnerabilities for exploitation without any ROP, despite the fact that ROP is the most common technique to exploit complicated vulnerabilities. The exploit chain is the first reported one-click remote root exploit chain on Pixel devices and won the highest reward for a single exploit chain across all Google VRP programs.

Presenters:

Guang Gong - Head of 360 Alpha Lab, 360 Security
Guang Gong is a Senior Security Researcher of 360 Security and the Team Leader of 360 Alpha Lab. His research interests include Windows rootkits, virtualization, and Cloud computing. He currently focuses on mobile security, especially on hunting and exploiting Android vulnerabilities. He and his team have found more than 300 vulnerabilities of Google and Qualcomm. He has pwned various Android devices in many hacking competitions. A lately discovered exploit chain helped him win the highest reward in the history of all Google VRP programs.

TiYunZong: An Exploit Chain to Remotely Root Modern Android Devices - Pwn Android Phones from 2015 to 2020

Presenters:

Links:

Similar Presentations: