In recent months, we focus on bug hunting to achieve root on android devices. Our kernel fuzzing, leaded by @wushi, generated a lot of crashes and among them, we found a kernel Use-After-Free bug which lies in all versions of Linux kernel and we successfully take advantage of it to root most android devices(version>=4.3) on the market nowadays, even for the 64-bit ones.
We leverage this bug to root whatever android devices(version>=4.3) of whatever brands. And also we are the first one in the world, as far as we are aware, rooting the 64-bit android device by taking advantage of a kernel memory corruption bug. The related kernel exploitation method is unique.In this talk, we will explain the root cause of this UAF bug and also the methods used to exploit it. We will demonstrate how we can fill the kernel memory once occupied by the vulnerable freed kernel object with fully user-controlled data by spraying and finally achieved arbitrarily code execution in kernel mode to gain root. All our spraying methods and exploiting ways apply to the latest Android kernel, and we also bypass all the modern kernel mitigations on Android device like PXN and so on. Even introduced 64-bit address space fails to stop our rooting. And a very important thing is that the rooting is stable and reliable. Actually, we will present a common way to exploit android kernel Use-After-Free bug to gain root. We will also cover some new kernel security issue on the upcoming 64-bit android platform in the future.