Yong Wang Robert Yuen Yong Wang Robert Yuen

Two bugs with one PoC: Rooting Pixel 6 from Android 12 to Android 13

In this talk, I will first review an old and public vulnerability exploited in the wild, and detail how to create the PoC step by step. Even without Variable Analysis, you can find another similar issue and create a new PoC in less than 1 minute. And the same PoC implicitly triggers another Use-After-Free vulnerability without the kernel panic. Before diving into how to exploit those two bugs, I will briefly discuss the changes and challenges for rooting Android 12/13 devices. Then, I will respectively detail how to exploit those two vulnerabilities, bypass the general mitigations(KASLR, UAO, PAN, etc), and root Pixel 6 from Android 12 to Android 13 with a 100% success rate.

Read More