Overview
This course delves into the exploitation of a Use-After-Free vulnerability in the xt_qtaguid kernel module on Android devices. By analyzing past vulnerabilities and exploring the reported CVE-2021-0399 vulnerability, learners will gain insights into rooting techniques, memory manipulation, and kernel control flow integrity. The teaching method involves discussing historical vulnerabilities, practical exploitation steps, and on-device protection mechanisms. This course is intended for security researchers, Android developers, and individuals interested in kernel-level security and exploitation techniques.
Syllabus
Intro
xt_qtaguld - Introduction
xt_qtagulud Open Device
CVE-2017-13273
eventfd leaks kernel heap address
Step 1 - Double Free on kmalloc-128
KASLR Leak
Rooting (possible primitives)
Step 3 - Rooting (controlling seq_operations)
Step 3 - Rooting (overwriting addr_limit?)
Step 3 - Rooting (the ultimate ROP)
Step 3 - Rooting (root shell)
Summarization for Exploiting CVE-2021-0399
CONFIG_SLAB_FREELIST HARDENED
KFENCE
Kernel Control Flow Integrity
CONFIG_DEBUG_LIST
On-Device Protection
Backend Infrastructure
Behavioural Detection
Summary
Taught by
Black Hat