Rooting Android Devices in One Shot: Simple Bug, Complex Exploit (incl. Memory Tagging Extension)

In the past few years, the kernel attack surfaces that can be accessed by untrusted applications have been significantly reduced. And nowadays it becomes more and more difficult to hunt the bugs of high quality. With more and more hardware and software mitigations, it's common to label bugs of low quality as unexploitable bugs. From my own perspective, advanced exploitation techniques can significantly improve the exploitability of low-quality bugs. In this talk, I will first analyze a low-quality bug fixed last year. Back in 2015, there's no doubt that it's exploitable. But now the mitigations can hinder the exploitation directly. To exploit the bug, I will detail the idea of partially bypassing the KASLR mitigation and introduce a practical method to predict the addresses of attacker-controlled kernel objects. Then, I will detail how to gain the arbitrary physical memory Read/Write ability in one shot. Last but not least, since the affected devices are shipped with custom mitigations, I will also detail how to bypass them and gain the root privilege. During the presentation, I will give the exploit demos of rooting the affected Android devices.

About the Presenter: Yong Wang

Yong Wang(@ThomasKing2014) is a Security Engineer at Alibaba Cloud Pandora Lab. Yong currently focuses on Android/Browser vulnerability hunting and exploitation. He was a speaker at several security conferences including Black Hat(Asia, Europe, USA), HITB Amsterdam, Zer0Con, POC, CanSecWest, MOSEC, and QPSS. Over the years, he has reported several vulnerabilities, and one of them was nominated for Pwnie Award 2019.