The 2022 Pwnie Winner For Best Privilege Escalation Bug

Mystique in the House: The Droid Vulnerability Chain That Owns All Your Userspace

Researchers Name: Qidan He of @dawnslab

Nominating for the `mystique` bug, i.e. CVE-2021-0691 and other bugs in the chain in multiple vendors like Samsung, Xiaomi, Oppo including CVE-2021-25450, CVE-2021-25485 and CVE-2021-23243, that allows an application with zero permission to execute code in any other applications. Details of this research can be found at the whitepaper https://dawnslab.jd.com/mystique-paper/mystique-paper.pdf and delivered talk in CanSecWest 22 https://dawnslab.jd.com/mystique-paper/CSW22-mystique.pdf

Actually the core of this bug chain (CVE-2021-0691) is just one line of change in the android SELinux policy. One line of change, and the whole sandbox collapsed. Combined with multiple bugs in vendors, they achieved almost super power in the userspace.