Typhoon Mangkhut: One-click Remote Universal Root Formed with Two Vulnerabilities

Presented at Black Hat USA 2021, Aug. 4, 2021, 1:30 p.m. (40 minutes).

The difficulty of remote root on Android devices has been increasing year by year. As more and more mitigations have been applied to both the user space and kernel space, building a remote root exploit chain becomes an extremely challenging task. Since the last time our team discovered the TiYunZong exploit chain to achieve one-click remote root on Pixel 3, we once again set off towards this goal targeting new Pixel devices with the latest updates.

In this presentation, we will introduce Mangkhut, an exploit chain to remotely root modern Android devices with only two vulnerabilities: a Chrome vulnerability (CVE-2020-6537), which is used to achieve arbitrary code execution in the browser render process, and a Binder vulnerability (CVE-2020-0423), which can be leveraged to escalate from the highly sandboxed process to root. We will introduce the root cause of these vulnerabilities, and present technical details of the exploit chain. In terms of browser exploitation, we will describe how to convert a restricted type confusion bug in V8 to a more powerful one with out-of-bounds access primitive. For the sandbox escalation portion, we will describe the difficulties encountered, such as the extremely narrow race window to trigger the bug and the limitations for 32-bit compromised render process to launch the exploit targeting 64-bit kernel. We will present the approach to solve these issues and achieve arbitrary read and write by triggering the vulnerability only once. The exploit chain affects a wide range of devices running multiple versions of the Android system and was publicly acknowledged in Google's official vulnerability reward program annual report.


Presenters:

  • Hongli Han - Security Researcher, 360 Alpha Lab
    Hongli Han (@hexb1n) is a security researcher at 360 Alpha Lab. He is interested in Aosp&Kernel bug hunting and exploitation. He has spoken at several security conferences including HITB, MOSEC, and QPSS.
  • Rong Jian - Security Researcher, 360 Alpha Lab
    Rong Jian is a security researcher at 360 Alpha Lab. His research focuses on Browser security. He was a winner of the Chrome category in the TianFu Cup 2020 Cybersecurity Contest.
  • Xiaodong Wang - Security Researcher, 360 Alpha Lab
    Xiaodong Wang (@d4gold4) is a security researcher at 360 Alpha Lab. He has found many vulnerabilities in the Linux Kernel. He was a winner of the CentOS category in the TianFu Cup 2020 Cybersecurity Contest.
  • Peng Zhou - Security Researcher, 360 Alpha Lab
    Peng Zhou is a security researcher at 360 Alpha Lab. He focuses on kernel vulnerability hunting and exploitation.

Links:

Similar Presentations: