Introduction to Android Kernel UAF Exploitation

Kernel-level vulnerabilities on Android ARM64 devices present a formidable threat, offering attackers unparalleled control over the system. Among these, Use-After-Free (UAF) vulnerabilities are particularly potent, allowing an attacker to leverage freed memory regions for malicious purposes. This guide delves into the intricate process of identifying, exploiting, and achieving privilege escalation through a UAF vulnerability on an Android ARM64 kernel, demonstrating the core principles from a hands-on perspective.

Understanding kernel exploitation requires a solid grasp of memory management, CPU architecture specifics, and the kernel’s internal workings. On ARM64, features like Privileged Access Never (PAN), Kernel Address Space Layout Randomization (KASLR), and hardware-enforced permissions introduce additional layers of complexity, but they are not insurmountable for a determined attacker.

Setting Up Your Exploitation Environment

Before diving into exploit development, a suitable environment is paramount. You’ll need:

• AOSP Build Environment: Essential for compiling custom Android kernels.
• Kernel Source Code: For the specific Android version and device you’re targeting.
• Rooted Android Device or Emulator: Necessary for deploying custom kernels and interacting with kernel modules.
• ADB: Android Debug Bridge for device interaction.
• Cross-Compilation Toolchain: For compiling user-space exploits (e.g., `aarch64-linux-android-gcc`).
• Debugging Tools (Optional but Recommended): GDB server on target, GDB multi-arch on host for kernel debugging.

The process often begins with compiling a kernel with debugging symbols enabled and potentially disabling some hardening features in a lab environment to simplify initial development, though a real-world exploit would need to bypass them.

# Example: Compiling a kernel module for ARM64Android make ARCH=arm64 CROSS_COMPILE=<path_to_aarch64_toolchain> O=<output_dir> uaf_driver.ko

Understanding the Use-After-Free Vulnerability

A UAF occurs when a program attempts to use memory after it has been freed. The kernel might free an object, but a pointer to that object remains in active use. If, after freeing, the same memory region is reallocated for another purpose (e.g., a different kernel object), the old dangling pointer now points to the new, potentially attacker-controlled, object.

Consider a simplified kernel module with a hypothetical vulnerability:

// drivers/char/uaf_driver.c #include <linux/module.h> #include <linux/kernel.h> #include <linux/fs.h> #include <linux/slab.h> #include <linux/uaccess.h> #include <linux/ioctl.h>  #define DEVICE_NAME "uaf_device"  struct uaf_object {     void (*callback)(void);     int id;     char name[32]; };  static struct uaf_object *global_uaf_ptr; // Dangling pointer potential  #define UAF_ALLOC _IO(0xA0, 0x01) #define UAF_FREE  _IO(0xA0, 0x02) #define UAF_USE   _IO(0xA0, 0x03) #define UAF_SET_NAME _IOW(0xA0, 0x04, char[32])  static long uaf_ioctl(struct file *file, unsigned int cmd, unsigned long arg) {     char user_name[32];     switch (cmd) {         case UAF_ALLOC:             global_uaf_ptr = kmalloc(sizeof(struct uaf_object), GFP_KERNEL);             if (global_uaf_ptr) {                 global_uaf_ptr->id = 0x1337;                 global_uaf_ptr->callback = NULL;                 pr_info("UAF: Object allocated at %pxn", global_uaf_ptr);             }             break;         case UAF_FREE:             if (global_uaf_ptr) {                 kfree(global_uaf_ptr);                 pr_info("UAF: Object freed at %pxn", global_uaf_ptr);                 // global_uaf_ptr is NOT nulled here -- UAF!             }             break;         case UAF_USE:             // This will trigger a UAF if global_uaf_ptr was freed and reallocated             if (global_uaf_ptr && global_uaf_ptr->callback) {                 pr_info("UAF: Calling callback at %pxn", global_uaf_ptr->callback);                 global_uaf_ptr->callback(); // EXECUTE ARBITRARY CODE             } else {                 pr_info("UAF: Callback not set or pointer is NULL.n");             }             break;         case UAF_SET_NAME:             if (global_uaf_ptr && copy_from_user(user_name, (char __user *)arg, sizeof(user_name)) == 0) {                 memcpy(global_uaf_ptr->name, user_name, sizeof(user_name));                 pr_info("UAF: Name set: %sn", global_uaf_ptr->name);             }             break;     }     return 0; }  static const struct file_operations uaf_fops = {     .owner = THIS_MODULE,     .unlocked_ioctl = uaf_ioctl, };  static int __init uaf_init(void) {     pr_info("UAF: Loading uaf_driver modulen");     return misc_register(&uaf_dev); }  static void __exit uaf_exit(void) {     pr_info("UAF: Unloading uaf_driver modulen");     misc_deregister(&uaf_dev); }  module_init(uaf_init); module_exit(uaf_exit); MODULE_LICENSE("GPL");

Heap Grooming and Arbitrary Read/Write Primitive

The core of a UAF exploit lies in controlling the memory layout after a `kfree` operation. This is achieved through a technique called