In recent years, to find a universal root solution for Android becomes harder and harder due to rare vulnerabilities in the Linux kernel base and also the exploit mitigations applied on the devices by various vendors.
In this paper, we will present our universal root solution. The related vulnerability CVE-2015-3636, a typical use-after-free bug in Linux kernel is discussed in detail. Exploiting such a use-after-free in Linux kernel is truly difficult due to the separated allocation from the kernel allocator. We will show how we leverage this kernel use-after-free bug to achieve privilege promotion on most popular Android devices on market which have a version not less than 4.3, including the first 64bit root case in the world. In short, we will present a generic way to exploit use-after-free vulnerabilities in Linux kernel, which means one exploit applies to devices of all brands. All the current mitigations in the kernel like PXN are circumvented by this approach. And most importantly our unique and undocumented exploitation technique targeting kernel use-after-free bugs features stability and accuracy.
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
BibTeX
@inproceedings {191942,
author = {Wen Xu and Yubin Fu},
title = {Own Your Android! Yet Another Universal Root},
booktitle = {9th USENIX Workshop on Offensive Technologies (WOOT 15)},
year = {2015},
address = {Washington, D.C.},
url = {https://www.usenix.org/conference/woot15/workshop-program/presentation/xu},
publisher = {USENIX Association},
month = aug
}
