![Page 1: Us 15 Xu Ah Universal Android Rooting is Back](https://reader031.vdocuments.mx/reader031/viewer/2022020223/577c86051a28abe054bf7e49/html5/thumbnails/1.jpg)
Wen `Memeda` Xu @K33nTeam
AH! UNIVERSAL ANDROID ROOTING IS BACK
![Page 2: Us 15 Xu Ah Universal Android Rooting is Back](https://reader031.vdocuments.mx/reader031/viewer/2022020223/577c86051a28abe054bf7e49/html5/thumbnails/2.jpg)
Wen Xu a.k.a Memeda @antlr7
ABOUT ME• Security research intern at KeenTeam
• Android Roo6ng
• So8ware exploita6on
• Senior student at Shanghai Jiao Tong University
• Member of LoCCS
• Vice-‐captain of CTF team 0ops
• Rank 2rd in the world on CTFTIME
![Page 3: Us 15 Xu Ah Universal Android Rooting is Back](https://reader031.vdocuments.mx/reader031/viewer/2022020223/577c86051a28abe054bf7e49/html5/thumbnails/3.jpg)
AGENDA• Present Situa6on of Android Roo6ng • Awesome Bug (CVE-‐2015-‐3636)
• Fuzzing • Analysis
• Awesome Exploita6on Techniques • Object Re-‐filling in kernel UAF • Kernel Code Execu@on • Targe@ng 64bit Devices
• Future
![Page 4: Us 15 Xu Ah Universal Android Rooting is Back](https://reader031.vdocuments.mx/reader031/viewer/2022020223/577c86051a28abe054bf7e49/html5/thumbnails/4.jpg)
Present Situation
PART I
![Page 5: Us 15 Xu Ah Universal Android Rooting is Back](https://reader031.vdocuments.mx/reader031/viewer/2022020223/577c86051a28abe054bf7e49/html5/thumbnails/5.jpg)
PRESENT SITUATION• Goal
• uid=0(root) gid=0(root) groups=0(root)
• Kernel arbitrary read/write
• Cleaning
• SELinux
• …
Root for what?
![Page 6: Us 15 Xu Ah Universal Android Rooting is Back](https://reader031.vdocuments.mx/reader031/viewer/2022020223/577c86051a28abe054bf7e49/html5/thumbnails/6.jpg)
PRESENT SITUATION• SoC (Driver)
• Missing argument sani6za6on (ioctl/mmap)
• Qualcomm camera drivers bug CVE-‐2014-‐4321, CVE-‐2014-‐4324 CVE-‐2014-‐0975, CVE-‐2014-‐0976
• TOCTTOU
• Direct dereference in user space CVE-‐2014-‐8299
• Chip by chip
![Page 7: Us 15 Xu Ah Universal Android Rooting is Back](https://reader031.vdocuments.mx/reader031/viewer/2022020223/577c86051a28abe054bf7e49/html5/thumbnails/7.jpg)
A BIG DEAL• Universal root solu6on
• Universally applied bug • Confron@ng Linux kernel
• Universally applied exploita6on techniques • One exploit for hundreds of thousands of devices • Adaptability (Hardcode) • User-‐friendly (Stability)
• COMING BACK AGAIN!
![Page 8: Us 15 Xu Ah Universal Android Rooting is Back](https://reader031.vdocuments.mx/reader031/viewer/2022020223/577c86051a28abe054bf7e49/html5/thumbnails/8.jpg)
Bug Hunting
PART II
![Page 9: Us 15 Xu Ah Universal Android Rooting is Back](https://reader031.vdocuments.mx/reader031/viewer/2022020223/577c86051a28abe054bf7e49/html5/thumbnails/9.jpg)
Open source kernel syscall fuzzer
FUZZING
• Trinity
• h_ps://github.com/kernelslacker/trinity
• Scalability
• Ported to ARM Linux
![Page 10: Us 15 Xu Ah Universal Android Rooting is Back](https://reader031.vdocuments.mx/reader031/viewer/2022020223/577c86051a28abe054bf7e49/html5/thumbnails/10.jpg)
Let’s take a look at our log when we wake up ;)
FUZZING • Cri6cal paging fault at 0x200200?!!
![Page 11: Us 15 Xu Ah Universal Android Rooting is Back](https://reader031.vdocuments.mx/reader031/viewer/2022020223/577c86051a28abe054bf7e49/html5/thumbnails/11.jpg)
user_sock_fd = socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP);
SK: PING SOCKET OBJECT IN KERNEL
![Page 12: Us 15 Xu Ah Universal Android Rooting is Back](https://reader031.vdocuments.mx/reader031/viewer/2022020223/577c86051a28abe054bf7e49/html5/thumbnails/12.jpg)
ping_unhash (__hlist_nulls_del)
TWO times
LIST_POISON2 == 0X200200
1
23
0x200200 not mapped kernel crash
![Page 13: Us 15 Xu Ah Universal Android Rooting is Back](https://reader031.vdocuments.mx/reader031/viewer/2022020223/577c86051a28abe054bf7e49/html5/thumbnails/13.jpg)
disconnect() in kernel through
connect() in user program
ROAD TO PING_UNHASH
![Page 14: Us 15 Xu Ah Universal Android Rooting is Back](https://reader031.vdocuments.mx/reader031/viewer/2022020223/577c86051a28abe054bf7e49/html5/thumbnails/14.jpg)
Local denial of service? Not enough!
USE-AFTER-FREE• Avoid crash: map 0x200200 in the user space
• Then hmm…
• sock_put(sk) is called twice ;)
• What’s PUT?
![Page 15: Us 15 Xu Ah Universal Android Rooting is Back](https://reader031.vdocuments.mx/reader031/viewer/2022020223/577c86051a28abe054bf7e49/html5/thumbnails/15.jpg)
CVE-2015-3636
USE-AFTER-FREE• sock_put(sk) twice Ref count to 0 sk_free!
• A dangling file descriptor le` in the user program
![Page 16: Us 15 Xu Ah Universal Android Rooting is Back](https://reader031.vdocuments.mx/reader031/viewer/2022020223/577c86051a28abe054bf7e49/html5/thumbnails/16.jpg)
Exploitation
PART III
![Page 17: Us 15 Xu Ah Universal Android Rooting is Back](https://reader031.vdocuments.mx/reader031/viewer/2022020223/577c86051a28abe054bf7e49/html5/thumbnails/17.jpg)
ANNOYING PROBLEM RE-FILLING
WHEN IT COMES TO UAF• Our target: struct sock object
• kmem_cache_alloc(“PING”, priority & ~__GFP_ZERO);
• Custom use cache ;(
![Page 18: Us 15 Xu Ah Universal Android Rooting is Back](https://reader031.vdocuments.mx/reader031/viewer/2022020223/577c86051a28abe054bf7e49/html5/thumbnails/18.jpg)
A specific area for the allocation of kernel objects of particular type Here we meet the type called “PING” xD
SLAB CACHE
![Page 19: Us 15 Xu Ah Universal Android Rooting is Back](https://reader031.vdocuments.mx/reader031/viewer/2022020223/577c86051a28abe054bf7e49/html5/thumbnails/19.jpg)
RE-FILLING IS REALLY A TOUGH JOB
WE ARE IN THE KERNEL• Slab allocator
• Hmm…Just like Isolated Heap
• Mul1-‐thread/core
• Hard to achieve fully predictable heap layout
• Candidate kernel objects
• Lack of controllability
• Controllable content?
• No BSTR in kernel lol
![Page 20: Us 15 Xu Ah Universal Android Rooting is Back](https://reader031.vdocuments.mx/reader031/viewer/2022020223/577c86051a28abe054bf7e49/html5/thumbnails/20.jpg)
WHAT USED TO RE-FILL• Common use slab cache
• Several choices on size
• 32, 48, 64, 128, 256, 512, 1024…
• How to create: sendmmsg()
• Size control: length of control msg
• Content control: content of control msg
Initial idea: kmalloc() buffer
![Page 21: Us 15 Xu Ah Universal Android Rooting is Back](https://reader031.vdocuments.mx/reader031/viewer/2022020223/577c86051a28abe054bf7e49/html5/thumbnails/21.jpg)
Basically, a completely free slab has large probability to be recycled for future allocation
INTUITIVE IDEA
• Why we always enjoy use-‐a`er-‐free bug?
• Memory reuse for efficiency and op@miza@on
• No excep@on in kernel
• 1. Fill slabs with totally PING socket objects
• 2. Free all of them and spray kmalloc-‐x buffers
• Exactly possible, but … out of control
![Page 22: Us 15 Xu Ah Universal Android Rooting is Back](https://reader031.vdocuments.mx/reader031/viewer/2022020223/577c86051a28abe054bf7e49/html5/thumbnails/22.jpg)
Newly adopted SLUB allocator tries to put the objects of the same size together, which de-
separates the kernel objects to some extent
SLUB HELPS US?
• Does our target object have a size of 32, 48, 64, 128, 256 or 512?
• Use kmalloc() buffers to re-‐occupy
• Much more stable and accurate
• BUT ping socket objects on different devices have different sizes
• Also the sizes may not be 32, 48, 64, …
![Page 23: Us 15 Xu Ah Universal Android Rooting is Back](https://reader031.vdocuments.mx/reader031/viewer/2022020223/577c86051a28abe054bf7e49/html5/thumbnails/23.jpg)
Universal Solution #1
KERNEL MEMORY CONTROL
![Page 24: Us 15 Xu Ah Universal Android Rooting is Back](https://reader031.vdocuments.mx/reader031/viewer/2022020223/577c86051a28abe054bf7e49/html5/thumbnails/24.jpg)
RET2DIR• ret2dir: Rethinking Kernel Isola6on (USENIX 14’)
• Vasileios P. Kemerlis Michalis Polychronakis Angelos D. Keromy6s
• Physmap is originally used to bypass kernel protec6ons
• SMEP, SMAP, PXN, PEN …
• Will it help to exploit kernel use-‐a8er-‐free as well?
![Page 25: Us 15 Xu Ah Universal Android Rooting is Back](https://reader031.vdocuments.mx/reader031/viewer/2022020223/577c86051a28abe054bf7e49/html5/thumbnails/25.jpg)
Physmap, the direct-mapped memory, is memory in the kernel which would directly map the memory in the user space into the kernel space.
THE RETURN OF PHYSMAP
![Page 26: Us 15 Xu Ah Universal Android Rooting is Back](https://reader031.vdocuments.mx/reader031/viewer/2022020223/577c86051a28abe054bf7e49/html5/thumbnails/26.jpg)
Again, based on the natural weakness of the system: MEMORY REUSE
THE RETURN OF PHYSMAP
• How to create: itera@vely mmap() in user space
• Data control: fully user-‐controlled (fill mmap()’ed area with our payload)
• Physmap with payload grows by occupying the free memory in the kernel
![Page 27: Us 15 Xu Ah Universal Android Rooting is Back](https://reader031.vdocuments.mx/reader031/viewer/2022020223/577c86051a28abe054bf7e49/html5/thumbnails/27.jpg)
THE RETURN OF PHYSMAP• Size control:
• Large enough to fill any freed memory in the kernel theore@cally
With physmap, we are able to exploit UAF in the kernel regardless of what vulnerable object is
Table [1] from ret2dir: Rethinking Kernel Isolation (USENIX 14’)
![Page 28: Us 15 Xu Ah Universal Android Rooting is Back](https://reader031.vdocuments.mx/reader031/viewer/2022020223/577c86051a28abe054bf7e49/html5/thumbnails/28.jpg)
Achieve kernel spraying through user space spraying
INITIAL PLAN
• 1. Allocate a large number of ping socket objects and then free all of them by triggering the bug.
• 2. Itera6vely call mmap() in the user program and fill the area.
• Hope the memory collision will happen?
![Page 29: Us 15 Xu Ah Universal Android Rooting is Back](https://reader031.vdocuments.mx/reader031/viewer/2022020223/577c86051a28abe054bf7e49/html5/thumbnails/29.jpg)
Universal Solution #2
RELIABILITY
![Page 30: Us 15 Xu Ah Universal Android Rooting is Back](https://reader031.vdocuments.mx/reader031/viewer/2022020223/577c86051a28abe054bf7e49/html5/thumbnails/30.jpg)
Make PING socket objects and physmap overlapped ;)
RELIABLE MEMORY COLLISION
• Spray PING socket objects
• In each step, every 500 PADDING PING objects
• Make our PING socket objects appear everywhere in kernel space
• 1 TARGET PING objects
• Used to pwn
![Page 31: Us 15 Xu Ah Universal Android Rooting is Back](https://reader031.vdocuments.mx/reader031/viewer/2022020223/577c86051a28abe054bf7e49/html5/thumbnails/31.jpg)
Universal Solution #3
CREATE LEAK
![Page 32: Us 15 Xu Ah Universal Android Rooting is Back](https://reader031.vdocuments.mx/reader031/viewer/2022020223/577c86051a28abe054bf7e49/html5/thumbnails/32.jpg)
Find an info leak to know whether our targeting PING socket object has already been covered by physmap or not
HATE TO THROW A DICE
![Page 33: Us 15 Xu Ah Universal Android Rooting is Back](https://reader031.vdocuments.mx/reader031/viewer/2022020223/577c86051a28abe054bf7e49/html5/thumbnails/33.jpg)
• Allocate hundreds of PING socket objects in group.
• Every 500 padding objects with 1 targe6ng object considered as a vulnerable one.
• Free padding PING socket objects normally by calling close()
• Free targe6ng PING socket objects by triggering the bug
• Such de-‐alloca6on generates large pieces of free memory for physmap
• Itera6vely call mmap() in user space and fill the areas
• Payload + magic number for re-‐filling checking
• Itera6vely call ioctl() on targe6ng PING socket objects
• ioctl() returns magic number? Done.
• Otherwise further physmap spraying is needed.
Notice: certain adjustment and optimization in practical root tool
![Page 34: Us 15 Xu Ah Universal Android Rooting is Back](https://reader031.vdocuments.mx/reader031/viewer/2022020223/577c86051a28abe054bf7e49/html5/thumbnails/34.jpg)
UNLEASH KERNEL UAF
• A generic memory collision model in Linux kernel
• Solve several difficul6es when exploi6ng kernel use-‐a8er-‐frees
• Hard to mi6gate due to kernel’s inherent property
separated allocation AND multi-core/thread
AND incontrollable creation and content
![Page 35: Us 15 Xu Ah Universal Android Rooting is Back](https://reader031.vdocuments.mx/reader031/viewer/2022020223/577c86051a28abe054bf7e49/html5/thumbnails/35.jpg)
Now we have full control of the content of a freed PING object with the corresponding dangling fd in our hand
PC CONTROL• User: just close(fd)
• Kernel: inet_release called
• ‘v8able’: sk-‐>sk_prot
• Set sk_prot as a mapped virtual address in user space
• Return to user land shellcode
![Page 36: Us 15 Xu Ah Universal Android Rooting is Back](https://reader031.vdocuments.mx/reader031/viewer/2022020223/577c86051a28abe054bf7e49/html5/thumbnails/36.jpg)
Geohot taught us again in Towelroot
WHAT DOES SHELLCODE DO
• Leak kernel stack address
• Get thread_info address
• Change addr_limit to 0
• Achieve kernel arbitrary read/write through pipe
Original idea from Stackjacking Your Way to grsec/PaX Bypass
![Page 37: Us 15 Xu Ah Universal Android Rooting is Back](https://reader031.vdocuments.mx/reader031/viewer/2022020223/577c86051a28abe054bf7e49/html5/thumbnails/37.jpg)
Don't count your chickens before they hatch.
Our goal is to root whatever devices of whatever brands.
WHAT ABOUT 64BIT DEVICES
• Bug existed?
• LIST_POISON2?
• S6ll 0x200200 which can be mapped
• Memory collision with phsymap?
• Return to shellcode in user space?
![Page 38: Us 15 Xu Ah Universal Android Rooting is Back](https://reader031.vdocuments.mx/reader031/viewer/2022020223/577c86051a28abe054bf7e49/html5/thumbnails/38.jpg)
PXN prevents userland execution from kernel
OOPS! PXN APPLIED.• Return to physmap? NX ;(
• ROP comes on stage
• Two steps
• First step: leak kernel stack address
• Second step: change addr_limit to 0
• Hardcoded addresses of gadgets ;(
![Page 39: Us 15 Xu Ah Universal Android Rooting is Back](https://reader031.vdocuments.mx/reader031/viewer/2022020223/577c86051a28abe054bf7e49/html5/thumbnails/39.jpg)
In fact we prefer JOP (Jump-Oriented Programming)
ROP TIPS• Avoid stack pivo6ng in kernel which brings uncertainty
• Make full use of current values of the registers
• X29 stores SP value on 64bit devices
• High 32bits of kernel addresses are the same
• Only need to read/write low 32bits
• Work hard to find cool gadgets
• One GOD gadget does both leaking and overwri6ng in some ROMs
![Page 40: Us 15 Xu Ah Universal Android Rooting is Back](https://reader031.vdocuments.mx/reader031/viewer/2022020223/577c86051a28abe054bf7e49/html5/thumbnails/40.jpg)
Victory!
CONCLUSION• Root most popular Android devices on market
• Android version >= 4.3
• First 64bit root case in the world as known
• S6 & S6 Edge root
• DEMO ;)
![Page 41: Us 15 Xu Ah Universal Android Rooting is Back](https://reader031.vdocuments.mx/reader031/viewer/2022020223/577c86051a28abe054bf7e49/html5/thumbnails/41.jpg)
![Page 42: Us 15 Xu Ah Universal Android Rooting is Back](https://reader031.vdocuments.mx/reader031/viewer/2022020223/577c86051a28abe054bf7e49/html5/thumbnails/42.jpg)
Future
PART IV
![Page 43: Us 15 Xu Ah Universal Android Rooting is Back](https://reader031.vdocuments.mx/reader031/viewer/2022020223/577c86051a28abe054bf7e49/html5/thumbnails/43.jpg)
64bit devices could be more secure
FUTURE• LIST_POISON2 in 64bit Android kernel
• 0x200200 Set as 0xDEAD000000000000 • Prevent memory collision with physmap
• Enough virtual address space there • KASLR • Days become harder for linux kernel pwners
• Where there is a will there is a way
![Page 44: Us 15 Xu Ah Universal Android Rooting is Back](https://reader031.vdocuments.mx/reader031/viewer/2022020223/577c86051a28abe054bf7e49/html5/thumbnails/44.jpg)
PWNIE• In this paper, 3 pwnies nomina6ons were
leveraged.
• Wu Shi -‐ Finding CVE-‐2015-‐3636
• Universal Root -‐ Privilege escala6on
• ret2dir -‐ Exploita6on technique
![Page 45: Us 15 Xu Ah Universal Android Rooting is Back](https://reader031.vdocuments.mx/reader031/viewer/2022020223/577c86051a28abe054bf7e49/html5/thumbnails/45.jpg)
Thanks for contributions and inspirations
ACKNOWLEDGEMENT• wushi
• jfang
• LeoC
• Liang Chen
• Slipper
• Peter
Pictures in the slide come from Google