Techniques [OffensiveCon 2023] Racing Against the Lock: Exploiting Spinlock UAF in the Android Kernel

[weaver]

Racing Against the Lock: Exploiting Spinlock UAF in the Android Kernel​

In this work, we will present an exploit for a unique Binder kernel use-after-free (UAF) vulnerability (CVE-2022-20421) which was disclosed recently. Through this vulnerability, we examine the exploitability of a spinlock use-after-free, containing no other memory corruption primitive. We devised an innovative and generic technique for exploiting such limited use-after-free vulnerabilities, assuming a queued spinlock implementation (the default implementation on Android since kernel version 4.19).

Our technique includes constructing a primitive to corrupt a kernel pointer. This corruption is then further developed into a type confusion and eventually, arbitrary kernel read/write, including kASLR bypass and all other relevant mitigations. We successfully demonstrated a robust and stable exploitation on 3 Android devices (Samsung Galaxy S21 Ultra, Samsung Galaxy S22, and Google Pixel 6), assuming code execution from the untrusted_app SELinux context.

writeup

https://0xkol.github.io/assets/files/Racing_Against_the_Lock__Exploiting_Spinlock_UAF_in_the_Android_Kernel.pdf

slides

https://0xkol.github.io/assets/files/OffensiveCon23_Racing_Against_the_Lock__Exploiting_Spinlock_UAF_in_the_Android_Kernel.pdf

PoC for CVE-2022-20421

GitHub - 0xkol/badspin: Bad Spin: Android Binder Privilege Escalation Exploit (CVE-2022-20421)

Bad Spin: Android Binder Privilege Escalation Exploit (CVE-2022-20421) - 0xkol/badspin

github.com

video
youtube.com/watch?v=E3CVDOlcHC4&list=PLYvhPWR_XYJmh-qBNKUrlyjQYKBpCDZzB

 

[C1c4Da1337]

Thank you, I am studying how the IPC can be exploited, it was very useful.