Mirror Mirror: Rooting Android 8 with a Kernel Space Mirroring Attack


In 2016, several Stagefright inspired mitigations have been added to Android Nougat. One outstanding change is that the mediaserver process does not have all the capabilities like Bluetooth, etc. Those capabilities have been granted to several new daemons. Recently, Android 8.0 has released, born with new kernel harden features(PAN and KASLR, etc.) and more strict SELinux policies enforcing. Rooting large numbers of newest Android devices with one single vulnerability is quite a challenge.

In this presentation, we will first detail an Out-Of-Bounds writing vulnerability exploitation in media framework. Since the overwriting bytes are ‘0x80’s and the vulnerability is triggered during decoding a crafted mp4 file, it’s quite challenging to shape the memory layout of a remote high privilege process and achieve PC control. We will detail how the shared memory can be used to pad the memory and bypass ASLR, how to escape the SECCOMP sandbox of mediacodec, and control one thread of mediaserver with almost 100% success rate.

We will detail a new rooting solution ReVent. It derives from a Use-After-Free vulnerability due to race condition, which affects all the Android devices shipped with >=3.18 Linux kernel, and can be executed by any untrusted application. Since many different slab objects are frequently allocated/freed on the same heap during exploiting process, it’s quite challenging to shape heap Fengshui and achieve kernel code execution. We will demonstrate how to use the TOCTOU feature of pipe subsystem to convert Out-Of-Bounds writing to gain arbitrary kernel memory overwriting stably.

It’s no doubt that using the old public exploitation technique like overwriting ptmx_fops to bypass PXN is straightforward. Unsurprisingly, it can hardly defeat “Oreo” due to PAN mitigation. To bypass PXN and PAN mitigation on Android 8.0, we will introduce a new kernel exploitation technique, named Kernel Space Mirroring Attack(KSMA). It derives from a tiny improper design of the virtual memory translation descriptor of ARM virtual memory system, which violates the Least Privilege secure design principle. This exploitation technique enables an attacker to r/w kernel text/data virtual address from user mode(EL0) without any syscalls. Combined with the above vulnerability, the newest Android 8.0 devices can be rooted.

Location: Track 2 Date: April 12, 2018 Time: 4:30 pm - 5:30 pm Yong Wang Yang Song