The Art of Exploiting UAF by Ret2bpf in Android Kernel
Offered By: Black Hat via YouTube
Course Description
Overview
Explore the intricacies of exploiting a Use-After-Free vulnerability in the Android kernel's xt_qtaguid module in this 32-minute Black Hat conference talk. Delve into the history of vulnerabilities in the module, including the recently discovered CVE-2021-0399. Follow the Google Android Security team's investigation into the exploit potential, examining techniques like double free on kmalloc-128, KASLR leak, and various rooting methods. Learn about kernel protection mechanisms such as CONFIG_SLAB_FREELIST_HARDENED, KFENCE, and Kernel Control Flow Integrity. Gain insights into on-device protection, backend infrastructure, and behavioral detection methods used to mitigate such vulnerabilities in Android systems.
Syllabus
Intro
xt_qtaguld - Introduction
xt_qtagulud Open Device
CVE-2017-13273
eventfd leaks kernel heap address
Step 1 - Double Free on kmalloc-128
KASLR Leak
Rooting (possible primitives)
Step 3 - Rooting (controlling seq_operations)
Step 3 - Rooting (overwriting addr_limit?)
Step 3 - Rooting (the ultimate ROP)
Step 3 - Rooting (root shell)
Summarization for Exploiting CVE-2021-0399
CONFIG_SLAB_FREELIST HARDENED
KFENCE
Kernel Control Flow Integrity
CONFIG_DEBUG_LIST
On-Device Protection
Backend Infrastructure
Behavioural Detection
Summary
Taught by
Black Hat
Related Courses
Assembly Language Adventures (1): Counting with two digitsUdemy Assembly Language Adventures: Complete Course
Udemy OWASP Top 10 - A10:2021 - Server-Side Request Forgery (SSRF)
Cybrary Analyzing Wi-Fi Wardriving Data with Google Colab
SecurityFWD via YouTube Firing Rounds at the Analysis Shooting Gallery - CSAW'16 Security Workshop
New York University (NYU) via YouTube