Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

The Art of Exploiting UAF by Ret2bpf in Android Kernel

Black Hat via YouTube

Overview

Explore the intricacies of exploiting a Use-After-Free vulnerability in the Android kernel's xt_qtaguid module in this 32-minute Black Hat conference talk. Delve into the history of vulnerabilities in the module, including the recently discovered CVE-2021-0399. Follow the Google Android Security team's investigation into the exploit potential, examining techniques like double free on kmalloc-128, KASLR leak, and various rooting methods. Learn about kernel protection mechanisms such as CONFIG_SLAB_FREELIST_HARDENED, KFENCE, and Kernel Control Flow Integrity. Gain insights into on-device protection, backend infrastructure, and behavioral detection methods used to mitigate such vulnerabilities in Android systems.

Syllabus

Intro
xt_qtaguld - Introduction
xt_qtagulud Open Device
CVE-2017-13273
eventfd leaks kernel heap address
Step 1 - Double Free on kmalloc-128
KASLR Leak
Rooting (possible primitives)
Step 3 - Rooting (controlling seq_operations)
Step 3 - Rooting (overwriting addr_limit?)
Step 3 - Rooting (the ultimate ROP)
Step 3 - Rooting (root shell)
Summarization for Exploiting CVE-2021-0399
CONFIG_SLAB_FREELIST HARDENED
KFENCE
Kernel Control Flow Integrity
CONFIG_DEBUG_LIST
On-Device Protection
Backend Infrastructure
Behavioural Detection
Summary

Taught by

Black Hat

Reviews

Start your review of The Art of Exploiting UAF by Ret2bpf in Android Kernel

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.