Ah! Universal Android Rooting is Back

by Wen Xu Sept. 18, 2017 via Black Hat submitted by belen_caty

In this talk, we will explain the root cause of this UAF bug and also the methods used to exploit it. We will demonstrate how we can fill the kernel memory once occupied by the vulnerable freed kernel object with fully user-controlled data by spraying and finally achieved arbitrarily code execution in kernel mode to gain root. All our spraying methods and exploiting ways apply to the latest Android kernel, and we also bypass all the modern kernel mitigations on Android device like PXN and so on. Even introduced 64-bit address space fails to stop our rooting. And a very important thing is that the rooting is stable and reliable. Actually, we will present a common way to exploit android kernel Use-After-Free bug to gain root. We will also cover some new kernel security issue on the upcoming 64-bit android platform in the future.


Steven Ulm 4 weeks, 1 day ago

Great briefing! Developers should read stuff like this more in order to be able to prevent and fix the Universal Android Rooting bugs!