Black Hat | Game of Cross Cache: Let's Win It in a More Effective Way! @BlackHatOfficialYT | Uploaded 1 month ago | Updated 4 hours ago
Cross-cache attacks, an extremely popular technique for exploiting heap-based vulnerabilities, serve as the foundation for many well-known exploit methods, such as Ret2dir, Ret2page, and so on. As Android strengthens its kernel mitigations, there is a growing trend towards proposing generic data-only exploitation methods, such as DirtyCred, Dirty Pagetable, Pipe primitive and others, to counteract mitigations like CFI, PAN, etc. Many of these generic exploitation methods predominantly rely on cross-cache attacks. As a result, the efficiency of cross-cache attacks directly determines the success rate of numerous heap-based vulnerability exploits on Android.
In this presentation, we will unveil a much more effective cross-cache attack by exploiting a recently discovered UAF vulnerability on Android. New methods will be disclosed for the first time, addressing challenges encountered in cross-cache attacks. For instance, we have devised a new approach to reclaim the victim slab even when object allocation is restricted. Additionally, an elegant method has been developed for efficiently executing cross-cache attacks between slabs of different sizes.
Moreover, we will provide a detailed discussion on how to use Dirty Pagetable[1], an effective cross-cache-based exploit method, to achieve privilege escalation on a Samsung Mobile device. Although we introduced Dirty Pagetable earlier by demonstrating how to root some well-known Android devices, we have not demonstrated its utilization in attacking Samsung KNOX RKP. So, this time, let's do it! We will also reveal a new technique for bypassing SELinux on Samsung devices.
Le Wu | Security Researcher, Baidu
Qi Zhang | Security Researcher
Full Abstract & Presentation Materials: blackhat.com/asia-24/briefings/schedule/#game-of-cross-cache-lets-win-it-in-a-more-effective-way-37742
Cross-cache attacks, an extremely popular technique for exploiting heap-based vulnerabilities, serve as the foundation for many well-known exploit methods, such as Ret2dir, Ret2page, and so on. As Android strengthens its kernel mitigations, there is a growing trend towards proposing generic data-only exploitation methods, such as DirtyCred, Dirty Pagetable, Pipe primitive and others, to counteract mitigations like CFI, PAN, etc. Many of these generic exploitation methods predominantly rely on cross-cache attacks. As a result, the efficiency of cross-cache attacks directly determines the success rate of numerous heap-based vulnerability exploits on Android.
In this presentation, we will unveil a much more effective cross-cache attack by exploiting a recently discovered UAF vulnerability on Android. New methods will be disclosed for the first time, addressing challenges encountered in cross-cache attacks. For instance, we have devised a new approach to reclaim the victim slab even when object allocation is restricted. Additionally, an elegant method has been developed for efficiently executing cross-cache attacks between slabs of different sizes.
Moreover, we will provide a detailed discussion on how to use Dirty Pagetable[1], an effective cross-cache-based exploit method, to achieve privilege escalation on a Samsung Mobile device. Although we introduced Dirty Pagetable earlier by demonstrating how to root some well-known Android devices, we have not demonstrated its utilization in attacking Samsung KNOX RKP. So, this time, let's do it! We will also reveal a new technique for bypassing SELinux on Samsung devices.
Le Wu | Security Researcher, Baidu
Qi Zhang | Security Researcher
Full Abstract & Presentation Materials: blackhat.com/asia-24/briefings/schedule/#game-of-cross-cache-lets-win-it-in-a-more-effective-way-37742