Own your Android! Yet Another Universal Root Wen Xu Yubin Fu - PowerPoint PPT Presentation

Own your Android! Yet Another Universal Root Wen Xu Yubin Fu xuwen.sjtu@gmail.com QooBee1993@gmail.com Keen Team Usenix Woot 15' 1

About Me • Security research intern at Keen Team – Mobile vulnerability research • Android Rooting – Software Exploitation • Undergraduate student at Shanghai Jiao Tong University – Research member of LoCCS Usenix Woot 15' 2

Introduction • Universal Android root solution by Keen Team – CVE-2015-3636 kernel use-after-free vulnerability – Undocumented overwriting techniques targeting kernel use-after-free vulnerabilities • Reliable • Universal applied – First 64bit root case in the world • PingPongRoot • PXN bypassed by kernel ROP Usenix Woot 15' 3

Roadmap • Vulnerability (CVE-2015-3636) • Proof-of-Concept • Exploitation – Goal – Re-filling – 64bit devices – Privilege escalation • Conclusion Usenix Woot 15' 4

Roadmap • Vulnerability (CVE-2015-3636) • Proof-of-Concept • Exploitation – Goal – Re-filling – 64bit devices – Privilege escalation • Conclusion Usenix Woot 15' 5

Vulnerability (CVE-2015-3636) • Critical paging fault at 0x200200 Usenix Woot 15' 6

Vulnerability (CVE-2015-3636) • sk: PING socket object in kernel Usenix Woot 15' 7

Vulnerability (CVE-2015-3636) • Ping_unhash(hlist_nulls_del) two times – LIST_POISON2 == 0x200200 – 0x200200 not mapped -> kernel crash Usenix Woot 15' 8

Vulnerability (CVE-2015-3636) • Invoke connect() in user program two times – sa_family == AP_UNSPEC Usenix Woot 15' 9

Vulnerability (CVE-2015-3636) • Review ping_unhash – Map 0x200200 to avoid crash – sock_put(sk)? Usenix Woot 15' 10

Vulnerability (CVE-2015-3636) • sock_put(sk) twice -> ref-count is 0 -> sk_free • A dangling file descriptor in the user program Usenix Woot 15' 11

Roadmap • Vulnerability (CVE-2015-3636) • Proof-of-Concept • Exploitation – Goal – Re-filling – 64bit devices – Privilege escalation • Conclusion Usenix Woot 15' 12

Proof-of-Concept • Work only on Android devices – int sockfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP); – struct sockaddr addr = { .sa_family = AF_INET }; – int ret = connect(sockfd, &addr, sizeof(addr)); – struct sockaddr _addr = { .sa_family = AF_UN- SPEC }; – ret = connect(sockfd, &_addr, sizeof(_addr)); – ret = connect(sockfd, &_addr, sizeof(_addr)); Usenix Woot 15' 13

Roadmap • Vulnerability (CVE-2015-3636) • Proof-of-Concept • Exploitation – Goal – Re-filling – 64bit devices – Privilege escalation • Conclusion Usenix Woot 15' 14

Exploitation: Goal • Control the content of freed PING objects • close(fd) to hijack control flow of the kernel Usenix Woot 15' 15

Roadmap • Vulnerability (CVE-2015-3636) • Proof-of-Concept • Exploitation – Goal – Re-filling – 64bit devices – Privilege escalation • Conclusion Usenix Woot 15' 16

Exploitation: Re-filling • Difficulties of exploiting UAF in the kernel: – Slab allocator: Separation between objects – Few candidates: Lack of controllability of kernel objects – Multi-thread/core: Unpredictable kernel heap layout – Content control: Lack of controllability of content of kernel objects Usenix Woot 15' 17

Exploitation: Re-filling • PING socket object in Linux kernel – In custom use cache: “PING” cache – kmem_cache_alloc(“PING”, priority & ~__GFP_ZERO); • Size varies on different Android devices Usenix Woot 15' 18

Exploitation: Re-filling • Physmap, the direct-mapped memory, is memory in the kernel which would directly map the memory in the user space into the kernel space. – ret2dir: Rethinking Kernel Isolation (USENIX 14’) Usenix Woot 15' 19

Exploitation: Re-filling • How to create: iteratively mmap() in user space • Data control: fully user-controlled (fill mmap()’ed area with our payload) • Physmap with payload grows by occupying the free memory in the kernel Usenix Woot 15' 20

Exploitation: Re-filling • Size control: Large enough to fill any freed memory in the kernel theoretically • Exploit UAF bugs regardless of types of vulnerable objects Usenix Woot 15' 21

Exploitation: Re-filling • Info leak by ioctl(): get to know whether the overwriting is done or not – A dword value inside the object Usenix Woot 15' 22

Exploitation: Re-filling • 1. Allocate hundreds of PING socket objects in group. – Every M padding objects with N targeting object considered as a vulnerable one. • 2. Free padding PING socket objects normally by calling close() • 3. Free targeting PING socket objects by triggering the bug – Such de-allocation generates large pieces of free memory for physmap • 4. Iteratively call mmap() in user space and fill the areas – Payload + magic number for re-filling checking • 5. Iteratively call ioctl() on targeting PING socket objects – ioctl() returns magic number? Done. • 6. Otherwise further physmap spraying is needed. Usenix Woot 15' 23

Roadmap • Vulnerability (CVE-2015-3636) • Proof-of-Concept • Exploitation – Goal – Re-filling – 64bit devices – Privilege escalation • Conclusion Usenix Woot 15' 24

Exploitation: 64bit devices • The exploitation strategy is applied for 64bit Android devices. • LIST_POISON2 – Remains to be 0x200200 • Physmap is proved to be able to cover SLAB caches on 64bit devices. Usenix Woot 15' 25

Roadmap • Vulnerability (CVE-2015-3636) • Proof-of-Concept • Exploitation – Goal – Re-filling – 64bit devices – Privilege escalation • Conclusion Usenix Woot 15' 26

Exploitation: Privilege escalation • For most 32bit Android devices: – When pc controlled, return to shellcode in user space – What does shellcode do? • Leak kernel stack address to get thread_info address • Overwrite addr_limit to 0 to achieve kernel arbitrary read/write ability Usenix Woot 15' 27

Exploitatoin: Privilege escalation • For many 64bit devices, PXN is applied. – Ret2usr no longer works. – Kernel ROP is required. – 2 ROP chains: • 1 for leakage • 1 for overwriting – Hardcoded address of gadgets Usenix Woot 15' 28

Exploitatoin: Privilege escalation • JOP (Jump-Oriented-Programming) is preferred: – To avoid stack pivoting in kernel which brings uncertainty – Make full use of current values of the registers • High 32bits of kernel addresses are the same – Only need to read/write low 32bits • Work hard to find cool gadgets – One GOD gadget does both leaking and overwriting in some ROMs Usenix Woot 15' 29

Roadmap • Vulnerability (CVE-2015-3636) • Proof-of-Concept • Exploitation – Goal – Re-filling – 64bit devices – Privilege escalation • Conclusion Usenix Woot 15' 30

Conclusion • We propose a universal applied attack strategy for use-after-free vulnerabilities in Linux kernel. • We achieve root on popular Android devices on market. – First 64bit root case in the world Usenix Woot 15' 31

Acknowledgement • Keen Team – wushi – James Fang – Liang Chen – Slipper – Peter Usenix Woot 15' 32

References 1. V. P. Kemerlis, M. Polychronakis, and A. D. Keromytis. ret2dir: Rethinking • kernel isolation. USENIX Security Symposium, 2014. 2. Jon Oberheide, Dan Rosenberg. Stackjacking Your Way to grsecurity/PaX • Bypass. INFILTRATE 2011. 3. https://www.kernel.org/doc/Documentation/vm/slub.txt. • 4. Vasileios P. Kemerlis, Georgios Portokalidis, and Angelos D. Keromytis. • kGuard: Lightweight Kernel Protection against Return-to-user Attacks. USENIX Security Symposium, 2012. 5. Marco Prandini and Marco Ramilli. Return-oriented programming. • Security and Privacy, IEEE, 2012. 6. Tyler Bletsch, Xuxian Jiang, Vince W. Freeh, Zhenkai Liang. Jump- • Oriented Programming: A New Class of Code-Reuse Attack. Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security. ACM, 2011. Usenix Woot 15' 33

• Thank you! • Q&A Usenix Woot 15' 34