Two bugs with one PoC: Rooting Pixel 6 from Android 12 to Android 13

The Pixel 6 is the first phone to rock the new Tensor chip, fully designed and developed by Google. It ships with Linux kernel 5.10 which brings many new changes and challenges for rooting.

In this talk, I will first review an old and public vulnerability exploited in the wild, and detail how to create the PoC step by step. Even without Variable Analysis, you can find another similar issue and create a new PoC in less than one minute. Also, the same PoC implicitly triggers another Use-After-Free vulnerability without a kernel panic. Before diving into how to exploit those two bugs, I will briefly discuss the changes and challenges for rooting Android 12/13 devices. Then, I will respectively detail how to exploit those two vulnerabilities, bypass the general mitigations(KASLR, UAO, PAN, etc), and root Pixel 6 from Android 12 to Android 13 with a 100% success rate.

During the presentation, I will give the exploit demo of rooting Pixel 6. In summary, the vulnerabilities and the ideas of exploitation have not been thoroughly presented in any previous talks.

 

About the Presenter: Yong Wang

WANG, YONG(@ThomasKing2014) is a Security Engineer at Alibaba Security Pandora Lab, currently focusing on Android/Chrome vulnerability hunting and exploitation. He was a speaker at several security conferences including BlackHat (Asia 2018, Europe 2019, USA 2022), HITB Amsterdam 2018, Zer0Con (2019, 2022), QPSS 2019, POC 2020, etc. Over the years he has reported several vulnerabilities, one of which was nominated for a Pwnie Award 2019.

Previous
Previous

xIoT Hacking Demonstrations & Strategies to Disappoint Bad Actors

Next
Next

Kubernetes Bakery Attacks : Stealing Cloud Roles