Researcher Name: Hongli Han, Rong Jian, Xiaodong Wang, Peng Zhou
This is the first publicly known remote exploitation chain of Android 10/11 on Pixel 4 submitted to Google, which was publicly acknowledged in Google’s official vulnerability rewards annual report. Only two vulnerabilities are required to cooperate to break through various existing mitigations of the Android system and implement a usable exploit chain. The first vulnerability is a type confusion vulnerability of Chrome V8, which is used to get RCE by converting it into a stable arbitrary read/write vulnerability. The second vulnerability is a UAF vulnerability of the Binder driver in versions including but not limited to Android 9/Android 10/Android 11 preview. A series of ingenious methods were used to bypass the sandbox restrictions and get stable arbitrary read/write in kernel space to achieve local privilege escalation within the sandbox. The approach to realize arbitrary reading and writing in kernel space of which the vulnerability is required to be triggered only once. With stable arbitrary address reading and writing, there is almost no need to do any adaptation.