Explore a critical Android security vulnerability in this Hack In The Box Security Conference talk. Dive into the "Waterdrop" vulnerability (CVE-2019-2025) affecting the Binder driver, a key component of the Android system. Learn about its three striking features: universal root solution potential, sandbox escalation capabilities, and arbitrary read/write functionality. Discover how this vulnerability impacts most Android devices from the past two years, including Google Pixel models, Samsung, Huawei, and OPPO. Follow the speakers as they demonstrate successful rooting of the latest Pixel 3XL, 2XL, and Pixel devices. Gain insights into the Binder driver, IPC processes, and various heap spraying techniques used in exploiting this vulnerability. Understand the impact and implications of this security flaw on Android devices running kernel versions 3.18 to 4.20.
Binder - The Bridge To Root - Hongli Han and Mingjian Zhou
Hack In The Box Security Conference via YouTube
Overview
Syllabus
Intro
About CORE Team
What is Binder
Our work around Binder Driver
IPC through Binder driver
The imperfect protection of the "binder_buffer" object
The "all-round" vulnerability
Impact: The "Waterdrop"
Stable Dos to Memory corruption
The Baits
Info leaks
Heap spraying skills: guard heap spray
Heap spraying skills: bullet spray
Heap spraying skills: mirror spray
How to arbitrary write with arbitrary data
KSMA Attack
Conclusion
Taught by
Hack In The Box Security Conference
