The Art of Exploiting UAF by Ret2bpf in Android Kernel
Offered By: Black Hat via YouTube
Course Description
Overview
Explore the intricacies of exploiting a Use-After-Free vulnerability in the Android kernel's xt_qtaguid module in this 32-minute Black Hat conference talk. Delve into the history of vulnerabilities in the module, including the recently discovered CVE-2021-0399. Follow the Google Android Security team's investigation into the exploit potential, examining techniques like double free on kmalloc-128, KASLR leak, and various rooting methods. Learn about kernel protection mechanisms such as CONFIG_SLAB_FREELIST_HARDENED, KFENCE, and Kernel Control Flow Integrity. Gain insights into on-device protection, backend infrastructure, and behavioral detection methods used to mitigate such vulnerabilities in Android systems.
Syllabus
Intro
xt_qtaguld - Introduction
xt_qtagulud Open Device
CVE-2017-13273
eventfd leaks kernel heap address
Step 1 - Double Free on kmalloc-128
KASLR Leak
Rooting (possible primitives)
Step 3 - Rooting (controlling seq_operations)
Step 3 - Rooting (overwriting addr_limit?)
Step 3 - Rooting (the ultimate ROP)
Step 3 - Rooting (root shell)
Summarization for Exploiting CVE-2021-0399
CONFIG_SLAB_FREELIST HARDENED
KFENCE
Kernel Control Flow Integrity
CONFIG_DEBUG_LIST
On-Device Protection
Backend Infrastructure
Behavioural Detection
Summary
Taught by
Black Hat
Related Courses
3D Graphics in Android: Sensors and VRImperial College London via Coursera A Simple Picture Storing App with Java and Android Studio
Coursera Project Network via Coursera Advanced App Development in Android Capstone
Imperial College London via Coursera Capstone MOOC for "Android App Development"
Vanderbilt University via Coursera Access NFC in an Android Studio Project
Coursera Project Network via Coursera