Attacking Android Binder: Analysis and Exploitation of CVE-2023-20938
CVE-2023-20938 is a use-after-free vulnerability in the Android Binder device driver that affected all Android devices using GKI kernel versions 5.4 and 5.10. The Android Red Team at OffensiveCon 2024 presented their findings on this vulnerability, which allowed them to achieve root privilege from an untrusted app on a fully updated Android device. The vulnerability was fixed and patches were released as part of the Android Security Bulletins in February and July 2023. Binder is the primary inter-process communication (IPC) channel on Android, used for passing file descriptors and objects containing pointers across process boundaries. It is accessible by default to every untrusted and isolated app, presenting a wide attack surface. The complexity of Binder's object lifetime, memory management, and concurrent threading model has led to several security issues, primarily use-after-free bugs. The team provided a technical breakdown of how they exploited the vulnerability, starting with a detailed explanation of how Binder works, including the initialization of Binder endpoints, sending and receiving transactions, and establishing connections with other processes. They then described the vulnerability exploitation process, which involved manipulating reference counters of a Binder Node object to introduce inconsistencies and achieve a use-after-free condition. The exploitation process included several stages: obtaining a leak primitive to read kernel memory, using an unlink primitive to overwrite kernel memory, and leveraging these primitives to achieve arbitrary kernel memory read access. The team also discussed how they overcame changes in the SLUB allocator’s caches in newer kernel versions to perform use-after-free on victim objects. To gain root privileges, the exploit involved finding the process's task_struct and cred structures, overwriting ID fields with root UID, disabling SELinux, and bypassing seccomp. The team also provided information on obtaining an arbitrary write primitive using the struct seq_file object. The blog post concluded with remediation details for CVE-2023-20938 and CVE-2023-21255, acknowledging the individuals who supported the technical aspects and review of the post. For further technical questions, they provided contact information for the Android Offensive Security team at Google. CVEs: CVE-2023-20938, CVE-2019-2215, CVE-2022-20421, CVE-2020-0423, CVE-2020-0041, CVE-2023-21255 Malware: SLUB, Waterdrop, BadBinder, TyphoonMangkhut, BadSpin [View Article](https://androidoffsec.withgoogle.com/posts/attacking-android-binder-analysis-and-exploitation-of-cve-2023-20938/)