Root Hundreds of Thousands of Android Devices with One Generic Exploit

PRESENTATION SLIDES (PDF)

In this talk, I will present the generic root solution of KeenTeam (thanks to @jfang and @qoobee of KeenTeam) which is released in May this year. The talk mainly involves two parts.

The first part is about the discovery of the vulnerability (CVE-2015-3636) which we leverage to achieve privilege promotion on Android devices. It is originally an access of invalid virtual address in Linux kernel found by our custom kernel syscall fuzzer (leaded by @wushi of KeenTeam). And I will show how to turn it into a use-after-free bug on PING socket object in the kernel. The root cause of this bug will be revealed, which reflects certain insecurity of the Android kernel compared with the Linux kernel currently.

The second part is the highlight of our work, where I will put forward a generic undocumented approach to exploit use-after-free vulnerabilities in Linux kernel which we applied in our root tool. One can use this approach to exploit any use-after-free vulnerabilities on Linux kernel objects. It can be universally applied to all the Android devices and PC Linux. It is effective both for 32bit and 64bit processors.

Conference
Location: Lavender I & II Date: October 16, 2015 Time: 3:00 pm - 4:00 pm Wen Xu