With more strict SELinux policies and mitigations, Android rooting is becoming an “impossible” challenge.
In this talk, I will first introduce a type confusion kernel bug I found last year, which affects all the Android devices. Since the affected slab caches are all dedicated, I will detail how to shape Heap Fengshui and convert it to a Use-After-Free vulnerability.
Next, I will detail how to leverage the freed objects and bypass KASLR/PXN/PAN mitigations effectively.
Android 9 introduces KCFI mitigation. In reality, some Android vendors have had implemented the KCFI mitigation on their Android 8 devices. To build the universal Android rooting solution, I will detail their KCFI implementation, how to bypass it and gain the root privilege.