Techniques [BlackHat Asia 2024] Game of Cross Cache: Let's Win It in a More Effective Way!

[weaver]

Description

Cross-cache attacks, an extremely popular technique for exploiting heap-based vulnerabilities, serve as the foundation for many well-known exploit methods, such as Ret2dir, Ret2page, and so on. As Android strengthens its kernel mitigations, there is a growing trend towards proposing generic data-only exploitation methods, such as DirtyCred, Dirty Pagetable, Pipe primitive and others, to counteract mitigations like CFI, PAN, etc. Many of these generic exploitation methods predominantly rely on cross-cache attacks. As a result, the efficiency of cross-cache attacks directly determines the success rate of numerous heap-based vulnerability exploits on Android.

In this presentation, we will unveil a much more effective cross-cache attack by exploiting a recently discovered UAF vulnerability on Android. New methods will be disclosed for the first time, addressing challenges encountered in cross-cache attacks. For instance, we have devised a new approach to reclaim the victim slab even when object allocation is restricted. Additionally, an elegant method has been developed for efficiently executing cross-cache attacks between slabs of different sizes.

Moreover, we will provide a detailed discussion on how to use Dirty Pagetable[1], an effective cross-cache-based exploit method, to achieve privilege escalation on a Samsung Mobile device. Although we introduced Dirty Pagetable earlier by demonstrating how to root some well-known Android devices, we have not demonstrated its utilization in attacking Samsung KNOX RKP. So, this time, let's do it! We will also reveal a new technique for bypassing SELinux on Samsung devices.

[1] https://yanglingxi1993.github.io/dirty_pagetable/dirty_pagetable.html

blackhat.com/asia-24/briefings/schedule/index.html#game-of-cross-cache-lets-win-it-in-a-more-effective-way-37742

slides
github.com/yanglingxi1993/slides/blob/main/Asia-24-Wu-Game-of-Cross-Cache.pdf