In this work, we will present an exploit for a unique Binder kernel use-after-free (UAF) vulnerability (CVE-2022-20421) which was disclosed recently. Through this vulnerability, we examine the exploitability of a spinlock use-after-free, containing no other memory corruption primitive. We devised an innovative and generic technique for exploiting such limited use-after-free vulnerabilities, assuming a queued spinlock implementation (the default implementation on Android since kernel version 4.19).
Our technique includes constructing a primitive to corrupt a kernel pointer. This corruption is then further developed into a type confusion and eventually, arbitrary kernel read/write, including kASLR bypass and all other relevant mitigations. We successfully demonstrated a robust and stable exploitation on 3 Android devices (Samsung Galaxy S21 Ultra, Samsung Galaxy S22, and Google Pixel 6), assuming code execution from the untrusted_app SELinux context.
Moshe Kol (@0xkol) is a wickedly talented security researcher, with many years of experience practicing vulnerability research, reverse engineering, and exploit development. He is behind high-profile security research pieces such as Ripple20 and DNSpooq, and has presented his research at industry conferences such as Black Hat, DEFCON, CODE BLUE and other conferences. Presently, Moshe focuses on researching the Linux/Android kernel at JSOF. Moshe obtained his M.Sc. in Computer Science from the Hebrew University of Jerusalem