Heap isolation is effective mitigation that reduces the exploitability of certain types of vulnerabilities, especially Use-After-Free. In the Android/Linux kernel, A Use-After-Free vulnerability in a dedicated cache is difficult to exploit because none of the ideal victim objects can be directly allocated in the same cache, and from the Android11-5.4 kernel, CONFIG_SLAB_MERGE_DEFAULT is not set on default, which means dedicated caches are never merged into one to reduce memory fragmentation. Thus, to exploit a UAF vulnerability in a dedicated cache, the technique of cross-cache attack has to be applied. However, since the well-known cross-cache attack techniques are time-consuming and less deterministic, lots of Use-After-Free vulnerabilities in the dedicated cache cause little attention and are recognized as unexploitable bugs.
In this talk, I will introduce "Ret2page" - a new and generic exploitation technique. The key idea behind the new exploitation technique is to tame both the SLUB and BUDDY allocator. It aims to reduce time and memory consumption, and improve the success rate of physical page reuse. Moreover, to evaluate the effectiveness of the new exploitation technique and compare it with the well-known cross-cache attack techniques, I will analyze two typical Use-After-Free vulnerabilities fixed last year. Last but not least, to achieve the arbitrary kernel memory R/W ability and gain the root privilege, I will respectively detail how to exploit those two vulnerabilities, bypass the general mitigations(KASLR, PAN, etc), and build the universal Android rooting solutions.
During the presentation, I will give the exploit demos of rooting Android flagship devices. In summary, the new and generic exploitation technique and the ideas of exploitation have not been thoroughly presented in any previous talks.