In this talk on Android vulnerability research and exploitation, we will examine privilege escalation vulnerabilities, disclose new ones, and look at their respective PoCs.
The attack surface on Android for escalating privileges directly to “root” is shrinking release after release. Thanks to security fixes, auditing, and mitigations such as SELinux, we will focus on a new approach. Exploiting components running as the “system” user or applications signed with the OEM system signature key allows an adversary access to more targets, encouraging chaining of various exploits.
Once code execution is reached in those contexts (system or system-signed app), an attacker is in a dangerous position in the system, capable of doing nefarious things. Once code execution as “system” is achieved, the attack surface to escalate to “root” is greatly increased. In this way, we will examine those two-step privilege escalations chains (unprivileged -> system -> root).
After conceptually explaining the vulnerabilities, exploit demonstrations will be made to showcase the attack vectors of said vulnerabilities. As we will see, those vulnerabilities will originate from different contexts: from components that reside in AOSP, from OEM customization, and even from applications that are publicly available in the App Stores and signed with OEM keys.