Explore the intricacies of exploiting a Use-After-Free vulnerability in the Android kernel's xt_qtaguid module in this 32-minute Black Hat conference talk. Delve into the history of vulnerabilities in the module, including the recently discovered CVE-2021-0399. Follow the Google Android Security team's investigation into the exploit potential, examining techniques like double free on kmalloc-128, KASLR leak, and various rooting methods. Learn about kernel protection mechanisms such as CONFIG_SLAB_FREELIST_HARDENED, KFENCE, and Kernel Control Flow Integrity. Gain insights into on-device protection, backend infrastructure, and behavioral detection methods used to mitigate such vulnerabilities in Android systems.
The Art of Exploiting UAF by Ret2bpf in Android Kernel
Overview
Syllabus
Intro
xt_qtaguld - Introduction
xt_qtagulud Open Device
CVE-2017-13273
eventfd leaks kernel heap address
Step 1 - Double Free on kmalloc-128
KASLR Leak
Rooting (possible primitives)
Step 3 - Rooting (controlling seq_operations)
Step 3 - Rooting (overwriting addr_limit?)
Step 3 - Rooting (the ultimate ROP)
Step 3 - Rooting (root shell)
Summarization for Exploiting CVE-2021-0399
CONFIG_SLAB_FREELIST HARDENED
KFENCE
Kernel Control Flow Integrity
CONFIG_DEBUG_LIST
On-Device Protection
Backend Infrastructure
Behavioural Detection
Summary
Taught by
Black Hat
