CanSecWest 2024

Presentations

From March 20 to 22

Yong Wang Robert Yuen Yong Wang Robert Yuen

Rooting Android Devices in One Shot: Simple Bug, Complex Exploit (incl. Memory Tagging Extension)

In the past few years, the kernel attack surfaces that can be accessed by untrusted applications have been significantly reduced. And nowadays it becomes more and more difficult to hunt the bugs of high quality. With more and more hardware and software mitigations, it's common to label bugs of low quality as unexploitable bugs. From my own perspective, advanced exploitation techniques can significantly improve the exploitability of low-quality bugs. In this talk, I will first analyze a low-quality bug fixed last year. Back in 2015, there's no doubt that it's exploitable. But now the mitigations can hinder the exploitation directly. To exploit the bug, I will detail the idea of partially bypassing the KASLR mitigation and introduce a practical method to predict the addresses of attacker-controlled kernel objects. Then, I will detail how to gain the arbitrary physical memory Read/Write ability in one shot. Last but not least, since the affected devices are shipped with custom mitigations, I will also detail how to bypass them and gain the root privilege. During the presentation, I will give the exploit demos of rooting the affected Android devices.

Read More