Credit: Guang Gong (@oldfresher)
The Google Pixel phone had previously enjoyed a peaceful life as the only mobile device that had not been pwned in Mobile Pwn2Own. That is, until 360 Alpha Team’s Guang Gong exploited an RCE bug in V8 chained with a privilege escalation in Android’s libgralloc. The V8 vulnerability was an exploitable race condition between the verification of a WebAssembly program in a SharedArrayBuffer and when the WebAssembly program was copied out of that SharedArrayBuffer to be run. By creatively modifying the WebAssembly program from a web worker, an attacker can cause unsafe WebAssembly to be executed and turn this into RCE for fun and profit.