The Art of Exploiting UAF by Ret2bpf in Android Kernel
Offered By: Black Hat via YouTube
Course Description
Overview
Explore the intricacies of exploiting a Use-After-Free vulnerability in the Android kernel's xt_qtaguid module in this 32-minute Black Hat conference talk. Delve into the history of vulnerabilities in the module, including the recently discovered CVE-2021-0399. Follow the Google Android Security team's investigation into the exploit potential, examining techniques like double free on kmalloc-128, KASLR leak, and various rooting methods. Learn about kernel protection mechanisms such as CONFIG_SLAB_FREELIST_HARDENED, KFENCE, and Kernel Control Flow Integrity. Gain insights into on-device protection, backend infrastructure, and behavioral detection methods used to mitigate such vulnerabilities in Android systems.
Syllabus
Intro
xt_qtaguld - Introduction
xt_qtagulud Open Device
CVE-2017-13273
eventfd leaks kernel heap address
Step 1 - Double Free on kmalloc-128
KASLR Leak
Rooting (possible primitives)
Step 3 - Rooting (controlling seq_operations)
Step 3 - Rooting (overwriting addr_limit?)
Step 3 - Rooting (the ultimate ROP)
Step 3 - Rooting (root shell)
Summarization for Exploiting CVE-2021-0399
CONFIG_SLAB_FREELIST HARDENED
KFENCE
Kernel Control Flow Integrity
CONFIG_DEBUG_LIST
On-Device Protection
Backend Infrastructure
Behavioural Detection
Summary
Taught by
Black Hat
Related Courses
Attacking iPhone XS MaxBlack Hat via YouTube Use-After-Use-After-Free - Exploit UAF by Generating Your Own
Black Hat via YouTube Ret2page - The Art of Exploiting Use-After-Free Vulnerabilities in the Dedicated Cache
Black Hat via YouTube Breaking Android Kernel Isolation and Rooting with ARM MMU Features
Black Hat via YouTube Exploiting a Limited UAF on Ubuntu 22.04 to Achieve LPE
Hack In The Box Security Conference via YouTube