Arbitrary file overwrite vulnerabilities are common in Android apps, but since Android 5, whether this can be turned into code execution or not has become highly app-dependent. We present a new, app-agnostic, persistent technique that reliably converts arbitrary file overwrites into code execution by targeting the runtime-generated app image .art file, which remains writable within an app’s sandbox. By replacing this file with a crafted malicious image, attackers persistently gain code execution when the app restarts.
We describe two exploitation strategies: a local attack that, assuming an ASLR leak, leverages an arbitrary memory write during image decompression to corrupt ART runtime objects, hijacks control flow and uses a JOP chain to execute shell commands. We also demonstrate a remote attack that requires no ASLR leak and instead abuses image relocation logic to inject and execute attacker-controlled bytecode, allowing arbitrary code execution with Runtime.exec. We demonstrate the practicality of both approaches by exploiting real n-day or 0-day arbitrary file overwrite bugs on commercial phones. We showcase the local technique with a zero-click privilege escalation chain from untrusted app to the system user exploiting an arbitrary file overwrite in the Oneplus backup app. We also demonstrate the remote technique by exploiting the arbitrary file overwrite in the OnePlus backup app as an attacker connected to the same wifi network as the target device after the user has started a backup session. To further demonstrate the remote technique we present a new variant of the Pwn2Own24 Galaxy S24 chain, which leveraging our remote technique now achieves code execution as platform_app with one bug less. We demonstrate the power of an arbitrary file overwrite vulnerability in Android apps and demonstrate memory corruption exploitation deep inside the Android Runtime.
Philipp is a PhD student in the Hexhive lab at EPFL, poking at the glue holding Android together. His prior work includes research on TEEs, system services and Scudo. In his free time he plays CTF, focussing on pwn challenges.
Rokhaya is a Master student at EPFL and works part-time in the HexHive lab as a research assistant. She previously conducted research on binary similarity. She is also an active CTF player and was previously president of EPFL’s CTF team: polygl0ts.
