In recent years, Google has made many great efforts in exploit mitigation and attack surface reduction to strengthen the security of android system. It is becoming more and more difficult to remotely compromise Android phones especially Google’s Pixel phone.
The Pixel phone is protected by many layers of security. It was the only device that was not pwned in the 2017 Mobile Pwn2Own competition. But our team discovered a remote exploit chain—the first of its kind since the Android Security Rewards (ASR) program expansion, which could compromise The Pixel phone remotely. The exploit chain was reported to Android security team directly. They took it seriously and patched it quickly. Because of the severity and our detailed report, we were awarded the highest reward ($112,500) in the history of the ASR program.
In this talk we will detail how we used the exploit chain to inject arbitrary code into system_server process and get system user permissions. The exploit chain includes two bugs, CVE-2017-5116 and CVE-2017-14904. CVE-2017-5116 is a V8 engine bug related with Webassembly and SharedArrayBuffer. It is used to get remote code execution in sandboxed Chrome render process. CVE-2017-14904 is a bug in Android's libgralloc module that is used to escape from the sandbox. The way we used for sandbox escaping is very interesting, rarely talked about before. All details of vulnerabilities and mitigation bypassing techniques will be given in this talk.
Guang Gong (@oldfresher) is a senior security researcher of Qihoo360 and the team leader of 360 Alpha Team. His research interests included Windows rootkits, virtualization and cloud computing. He currently focuses on mobile security, especially on hunting and exploiting Android's vulnerabilities. He has spoken at several security conferences such as Black Hat, CanSecWest, PHDays, SyScan360, MOSEC, PacSec and so on. He is the winner of Mobile Pwn2Own 2015(the target: Nexus 6), Pwn0Rama 2016 (the category of mobile devices), Pwn2Own 2016 (the target: Chrome), PwnFest 2016(the target: Pixel XL), Mobile Pwn2Own 2017(the target: Galaxy S8). @oldfresher
Wenlin Yang is a junior researcher of Qihoo 360 and the team member of 360 Alpha Team. He currently focuses on Android's vulnerabilities. He has submitted multiple bugs to Google and several other vendors in China and received some acknowledgments.
Jianjun Dai (@Jioun_dai) is a security researcher of Qihoo360 Alpha Team, he focus on Android system security research, vulnerability hunting and exploiting development. Previously, he is a security developer, major work include network protocol analysis, vulnerability detection, botnet and backdoor detection, sandbox technology research and development, etc. He have been in Android vulnerability research for more than two years, he found lots of vulnerabilities in AOSP, and won the Bug Bounty. He is a speaker at the CanSecWest conference.