Recently, Android 8.0 has released, born with new kernel harden features and more strict SELinux policies enforcing. Rooting large numbers of newest Android devices with one single vulnerability is quite a challenge.

In this talk, we will first detail a new rooting solution ReVent. It derives from a Use-After-Free vulnerability due to race condition, which affects all the Android devices shipped with >=3.18 Linux kernel, and can be executed by any untrusted application. Since many different slab objects are frequently allocated/freed on the same heap during exploiting process, it’s quite challenging to shape heap Fengshui and achieve kernel code execution. We will demonstrate how to use the TOCTOU feature of pipe subsystem to gain arbitrary kernel memory overwriting.

It’s no doubt that using the old public exploitation technique like overwriting ptmx_fops to bypass PXN is straightforward. Unsurprisingly, it can hardly defeat “Oreo” due to PAN mitigation. To bypass PXN and PAN mitigation on Android 8.0, we will introduce a new kernel exploitation technique, named Kernel Space Mirroring Attack(KSMA). It derives from ARM MMU features and enables an attacker to r/w kernel text/data virtual address from user mode(EL0) without any syscalls. Combined with the above vulnerability, the newest Android 8.0 devices can be rooted.

Another rooting solution CPRooter will also be detailed in this presentation. The vulnerability, which affects large numbers of Qualcomm Android devices, enables an attacker to r/w the TTBRx registers. Without constructing all level page tables, modifying the value of any TTBRx registers can lead to the kernel crash. We will demonstrate how to solve the problem with ARM MMU features and construct a 100% reliable exploit chain on Android 64-bit devices using KSMA exploitation technique.

In summary, the ideas of exploitation are fresh, and the new exploitation technique KSMA against Android 8.0 we proposed has never been discussed before.

Rooting video for Android 8