The difficulty of remote root on Android devices has been increasing year by year. As more and more mitigations have been applied to both the user space and kernel space, building a remote root exploit chain becomes an extremely challenging task. Since the last time our team discovered the TiYunZong exploit chain to achieve one-click remote root on Pixel 3, we once again set off towards this goal targeting new Pixel devices with the latest updates.
In this presentation, we will introduce Mangkhut, an exploit chain to remotely root modern Android devices with only two vulnerabilities: a Chrome vulnerability (CVE-2020-6537), which is used to achieve arbitrary code execution in the browser render process, and a Binder vulnerability (CVE-2020-0423), which can be leveraged to escalate from the highly sandboxed process to root. We will introduce the root cause of these vulnerabilities, and present technical details of the exploit chain. In terms of browser exploitation, we will describe how to convert a restricted type confusion bug in V8 to a more powerful one with out-of-bounds access primitive. For the sandbox escalation portion, we will describe the difficulties encountered, such as the extremely narrow race window to trigger the bug and the limitations for 32-bit compromised render process to launch the exploit targeting 64-bit kernel. We will present the approach to solve these issues and achieve arbitrary read and write by triggering the vulnerability only once. The exploit chain affects a wide range of devices running multiple versions of the Android system and was publicly acknowledged in Google's official vulnerability reward program annual report.