New issue
Advanced search Search tips
Starred by 2 users

Issue metadata

Status: Fixed
Closed: Sep 5

Sign in to add a comment

Android: privesc zygote->init; chain from USB

Project Member Reported by, Jun 12

Issue description

After reporting
(Android ID 80436257, CVE-2018-9445), I discovered that this issue could also
be used to inject code into the context of the zygote. Additionally, I
discovered a privilege escalation path from zygote to init; that escalation path
is why I'm filing a new bug.

Essentially, the privilege escalation from zygote to init is possible because
system/sepolicy/private/zygote.te contains the following rule:

    allow zygote self:capability sys_admin;

(On the current AOSP master branch, the rule looks slightly different, but it's
still there.)

This rule allows processes in the zygote domain to use the CAP_SYS_ADMIN
capability, if they have such a capability. The zygote has the capability and
uses it, e.g. to call umount() and to install seccomp filters without setting
the NO_NEW_PRIVS flag. CAP_SYS_ADMIN is a bit of a catch-all capability: If
kernel code needs to check that the caller has superuser privileges and none of
the capability bits fit the particular case, CAP_SYS_ADMIN is usually used.
The capabilities(7) manpage has a long, but not exhaustive, list of things that
this capability permits:

One of the syscalls that can be called with CAP_SYS_ADMIN and don't have
significant additional SELinux hooks is pivot_root(). This syscall can be used
to switch out the root of the current mount namespace and, as part of that,
change the root of every process in that mount namespace to the new namespace
root (unless the process already had a different root).

The exploit for this issue is in zygote_exec_target.c, starting at
"if (unshare(CLONE_NEWNS))". The attack is basically:

1. set up a new mount namespace with a root that is fully attacker-controlled
2. execute crash_dump64, causing an automatic transition to the crash_dump
3. the kernel tries to load the linker for crash_dump64 from the
   attacker-controlled filesystem, resulting in compromise of the crash_dump
4. from the crash_dump domain, use ptrace() to inject syscalls into vold
5. from vold, set up a loop device with an attacker-controlled backing device
   and mount the loop device over /sbin, without "nosuid"
6. from vold, call request_key() with a nonexistent key, causing a
   usermodehelper invocation to /sbin/request-key, which is labeled as
   init_exec, causing an automatic domain transition from kernel to init (and
   avoiding the "neverallow kernel *:file { entrypoint execute_no_trans };"
   aimed at stopping exploits using usermodehelpers)
7. code execution in the init domain

Note that this is only one of multiple possible escalation paths; for example,
I think that you could also enable swap on an attacker-controlled file, then
modify the swapped-out data to effectively corrupt the memory of any userspace
process that hasn't explicitly locked all of its memory into RAM.

In order to get into the zygote in the first place, I have to trigger
CVE-2018-9445 twice:

1. Use the bug to mount a "public volume" with a FAT filesystem over /data/misc.
2. Trigger the bug again with a "private volume" with a dm-crypt-protected
   ext4 filesystem that will be mounted over /data. To decrypt the volume, a key
   from /data/misc/vold/ is used.
3. Cause system_server to crash in order to trigger a zygote reboot. For this,
   the following exception is targeted:

 java.lang.NullPointerException: Attempt to get length of null array
        at Source:0)
        at android.os.Handler.dispatchMessage(
        at android.os.Looper.loop(

   This exception can be triggered by sending >=2MiB (mPersistThresholdBytes) of
   network traffic to the device, then either waiting for the next periodic
   refresh of network stats or changing the state of a network interface.

4. The rebooting zygote64 does dlopen() on
   /data/dalvik-cache/arm64/system@framework@boot.oat, resulting in code
   execution in the zygote64. (For the zygote64 to get to this point, it's
   sufficient to symlink
   /data/dalvik-cache/arm64/system@framework@boot.{art,vdex} to their
   counterparts on /system, even though that code isn't relocated properly.)

I have attached an exploit for the full chain, with usage instructions in USAGE.

WARNING: As always, this exploit is intended to be used only on research devices that don't store user data. This specific exploit is known to sometimes cause data corruption.

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.

60.0 KB Download
Project Member

Comment 1 by, Jun 12

Description: Show this description
Project Member

Comment 2 by, Jul 9

Description: Show this description
Project Member

Comment 3 by, Jul 27

Reported as:
Android ID: 110107376
Project Member

Comment 4 by, Aug 30

Labels: CVE-2018-9488
Project Member

Comment 5 by, Sep 5

Project Member

Comment 6 by, Sep 10

Android provided the following comment (also applies to  issue 1583 ):

"We would like to thank Jann Horn of Project Zero for reporting CVE-2018-9445 and CVE-2018-9488 to Android’s security team. We haven’t seen any evidence of exploits and the reported chain of issues require local physical access to the device. We have addressed these issues: Android devices with a security patch level (SPL) of at least 2018-08-01 are protected against the USB exploit chain and Android devices with a SPL of at least 2018-09-01 contain further mitigations and are protected against both issues."
Project Member

Comment 7 by, Sep 10

Labels: -Restrict-View-Commit

Sign in to add a comment