Eloi Sanfelix

A Bug Collision Tale


This talk will be about a Binder vulnerability that was first disclosed to Google by the Qihoo 360 C0RE Team, but also found by Jann Horn (who else?) and ourselves before it was fixed. The vulnerability was assigned
CVE-2019-2025 and the Qihoo 360 guys named it "Waterdrop".

We found this and another recently fixed bug in the Binder driver in mid-September 2018. We spent a considerable amount of time developing reliable exploits for the Google Pixel 3 and Galaxy S9 handsets during the fall of
2018. Soon after we were finished, we realized the bug had "just" been fixed upstream and it was only a matter of time until the fix would make it to Android.

In this talk we'll give insight on the emotional roller-coaster of developing a reliable exploit for this bug, the issues we faced and the techniques we used to solve them.

We'll describe how our exploit achieves read/write access to the kernel in spite of all mitigations present (PXN/PAN, CFI, and additionally the RKP hypervisor in Samsung phones) and escalates to root.

Finally, we'll compare our approach to that of Qihoo 360 and learn some lessons from that.


Eloi works as a Security Researcher at Blue Frost Security, where he focuses on vulnerability research and exploitation on Android platforms. In the past, he spent 9 years performing security evaluations of smart cards and embedded systems. This included analysis from the silicon layer up to the software layer.