TiYunZong Exploit Chain to Remotely Root Modern Android Devices - Pwn Android Phones from 2015-2020

Explore an in-depth presentation on the TiYunZong exploit chain, capable of remotely rooting a wide range of Qualcomm-based Android devices, including Pixel phones, from 2015 to 2020. Delve into the challenges of compromising modern Android devices, particularly Pixel devices with their latest updates and mitigations. Analyze the remote attack surface of smartphones and gain insights from the speaker's experience in exploiting Android systems. Examine three new vulnerabilities (CVE-2019-5870, CVE-2019-5877, CVE-2019-10567) that form the core of the TiYunZong exploit chain. Learn about Chrome v8's JSFunction memory layout, the intricacies of Chrome's multi-process architecture, and the Content Decryption Module (CDM) implementation. Understand the exploitation strategies, including triggering use-after-free conditions and manipulating ring buffers. Witness a demonstration of the exploit chain in action, showcasing its effectiveness against modern Android devices.

Intro
Why Google Pixel Phone Is A Tough Target
Remote Attack Surface of Smart Phones
Experience of Pwning Android Devices
The Exploit Chain(TiYunZong)
Torque in Chrome v8
JSFunction Memory Layout
The Bug(CVE-2019-5877)
Trigger the Bug
How to Exploit
Exploit Strategy
Chrome' s Multi-Process Architecture
The Mojo Interface Definition of Content Decryption Module (CDM)
The Implementation of the Initialized Function of CDM
The Fucntion RegisterCdm
Trigger UAF
Exploit the ERP Bug
The Format of the Scratch Memory
Where is the Bug
of a Ring Buffer
Read And Write Pointer
Allocate Space From Ring Buffer
Overwrite Exist Instructions
CP Instruction Sequence of Executing IOCTL_KGSL GPU COMMAND
The Process of Exploiting CVE-2019-10567
Demo