Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-20421 PoC — Google Pixel 资源管理错误漏洞

Source
https://github.com/0xkol/badspin
Associated Vulnerability
Title:Google Pixel 资源管理错误漏洞 (CVE-2022-20421)
Description:Google Pixel是美国谷歌(Google)公司的一款智能手机。 Google Pixel存在安全漏洞。目前尚无此漏洞的相关信息,请随时关注CNNVD或厂商公告。
Description
Bad Spin: Android Binder Privilege Escalation Exploit (CVE-2022-20421)
Readme
# Bad Spin: Android Binder LPE

Author: Moshe Kol

Privilege escalation exploit from `unstrusted_app` for Android Binder vulnerability (CVE-2022-20421). The vulnerability is patched on Android's Security Bulletin of October 2022. The exploit works on devices running kernel versions 5.4.x and 5.10.x, and it achieves full kernel R/W primitives. For the Google Pixel 6, it also obtains full root and SELinux bypass.

You can find the full write-up [here](https://0xkol.github.io/assets/files/Racing_Against_the_Lock__Exploiting_Spinlock_UAF_in_the_Android_Kernel.pdf).

## Run from shell

1. Compile the `libbadspin.so` library by typing `make push` in the `src/` directory. This will also push the library to `/data/local/tmp`.
2. Run `adb shell`.
3. Run `LD_PRELOAD=/data/local/tmp/libbadspin.so sleep 1`. This will load the library and start the exploit.

## Run from demo app

1. Compile `libbadspin.so` by typing `make push` in the `src/` directory. This will copy the library to the `assets` directory for the demo Android app.
2. Compile the demo Android app in the `app/` directory. (You might need Android Studio to do this.)
3. Run the app and click on the "Exploit" button. 
4. Consume logs using: `adb logcat -s BADSPIN`

## Compilation options

You can pass the following variables to `make`:

- `VERBOSE=1` to increase verbosity.
- `TEST_VULN=1` to test the vulnerability without proceeding with the exploit.

## Tested devices

```
$ make list
0: Samsung Galaxy S22, Android 12 (6/2022), kernel 5.10.81
1: Samsung Galaxy S21 Ultra, Android 12 (3/2022), kernel 5.4.129
2: Google Pixel 6, Android 12 (5/2022), kernel 5.10.66
3: Google Pixel 6, Android 13 (9/2022), kernel 5.10.107
```

## Support a new device

It is not difficult to adapt the exploit and support a new device.

1. Make sure your new device runs on kernel version 5.4.x or 5.10.x, and that its Android's security patch level is below October 2022.
2. Add your device properties to `dev_config.h`.
3. Specify two function pointers:
   * `kimg_to_lm()`: Converts a kernel image virtual pointer to the linear mapping. 
   * `find_kbase()`: Finding the kernel base address from an `anon_pipe_buf_ops` leaked pointer.
   
   You may use the already provided functions for this. (If your vendor is not Samsung and you're not sure, use the same functions as for the Pixel 6.)
4. Compile and run.

If it works for you, please submit a pull request.


## Known issues

* The phone might crash on unsuccessful attempts.
* The exploit is unstable in the first few minutes after boot.
* Only works on kernel versions 5.4.x and 5.10.x.
* Only achieves kernel R/W on non-Pixel devices.
File Snapshot

 [4.0K]  /data/pocs/792d185cb9ee15875f5395d8c30fe3e7b6d38b87
├── [4.0K]  app
│   ├── [4.0K]  app
│   │   ├── [1.2K]  build.gradle
│   │   ├── [ 750]  proguard-rules.pro
│   │   └── [4.0K]  src
│   │       ├── [4.0K]  androidTest
│   │       │   └── [4.0K]  java
│   │       │       └── [4.0K]  local
│   │       │           └── [4.0K]  badspin
│   │       │               └── [ 740]  ExampleInstrumentedTest.java
│   │       ├── [4.0K]  main
│   │       │   ├── [ 877]  AndroidManifest.xml
│   │       │   ├── [4.0K]  java
│   │       │   │   └── [4.0K]  local
│   │       │   │       └── [4.0K]  badspin
│   │       │   │           └── [2.1K]  MainActivity.java
│   │       │   └── [4.0K]  res
│   │       │       ├── [4.0K]  drawable
│   │       │       │   └── [5.5K]  ic_launcher_background.xml
│   │       │       ├── [4.0K]  drawable-v24
│   │       │       │   └── [1.7K]  ic_launcher_foreground.xml
│   │       │       ├── [4.0K]  layout
│   │       │       │   └── [ 892]  activity_main.xml
│   │       │       ├── [4.0K]  mipmap-anydpi-v26
│   │       │       │   ├── [ 272]  ic_launcher_round.xml
│   │       │       │   └── [ 272]  ic_launcher.xml
│   │       │       ├── [4.0K]  mipmap-anydpi-v33
│   │       │       │   └── [ 343]  ic_launcher.xml
│   │       │       ├── [4.0K]  mipmap-hdpi
│   │       │       │   ├── [2.8K]  ic_launcher_round.webp
│   │       │       │   └── [1.4K]  ic_launcher.webp
│   │       │       ├── [4.0K]  mipmap-mdpi
│   │       │       │   ├── [1.7K]  ic_launcher_round.webp
│   │       │       │   └── [ 982]  ic_launcher.webp
│   │       │       ├── [4.0K]  mipmap-xhdpi
│   │       │       │   ├── [3.8K]  ic_launcher_round.webp
│   │       │       │   └── [1.9K]  ic_launcher.webp
│   │       │       ├── [4.0K]  mipmap-xxhdpi
│   │       │       │   ├── [5.8K]  ic_launcher_round.webp
│   │       │       │   └── [2.8K]  ic_launcher.webp
│   │       │       ├── [4.0K]  mipmap-xxxhdpi
│   │       │       │   ├── [7.6K]  ic_launcher_round.webp
│   │       │       │   └── [3.8K]  ic_launcher.webp
│   │       │       ├── [4.0K]  values
│   │       │       │   ├── [ 378]  colors.xml
│   │       │       │   ├── [  70]  strings.xml
│   │       │       │   └── [ 809]  themes.xml
│   │       │       ├── [4.0K]  values-night
│   │       │       │   └── [ 809]  themes.xml
│   │       │       └── [4.0K]  xml
│   │       │           ├── [ 478]  backup_rules.xml
│   │       │           └── [ 551]  data_extraction_rules.xml
│   │       └── [4.0K]  test
│   │           └── [4.0K]  java
│   │               └── [4.0K]  local
│   │                   └── [4.0K]  badspin
│   │                       └── [ 374]  ExampleUnitTest.java
│   ├── [ 229]  build.gradle
│   ├── [4.0K]  gradle
│   │   └── [4.0K]  wrapper
│   │       ├── [ 58K]  gradle-wrapper.jar
│   │       └── [ 230]  gradle-wrapper.properties
│   ├── [1.2K]  gradle.properties
│   ├── [5.6K]  gradlew
│   ├── [2.7K]  gradlew.bat
│   └── [ 325]  settings.gradle
├── [1.0K]  LICENSE.md
├── [2.6K]  README.md
└── [4.0K]  src
    ├── [ 15K]  binder_client.c
    ├── [2.8K]  binder_client.h
    ├── [ 14K]  binder.h
    ├── [4.8K]  dev_config.h
    ├── [ 39K]  exploit.c
    ├── [2.3K]  exploit.h
    ├── [1.2K]  kernel_constants.h
    ├── [8.0K]  ksym.c
    ├── [4.0K]  libsepol
    │   ├── [4.0K]  include
    │   │   ├── [ 615]  Makefile
    │   │   └── [4.0K]  sepol
    │   │       ├── [1.5K]  boolean_record.h
    │   │       ├── [1.3K]  booleans.h
    │   │       ├── [ 752]  context.h
    │   │       ├── [1.6K]  context_record.h
    │   │       ├── [ 975]  debug.h
    │   │       ├── [ 826]  errcodes.h
    │   │       ├── [1.4K]  handle.h
    │   │       ├── [2.1K]  ibendport_record.h
    │   │       ├── [1.4K]  ibendports.h
    │   │       ├── [2.2K]  ibpkey_record.h
    │   │       ├── [1.3K]  ibpkeys.h
    │   │       ├── [1.8K]  iface_record.h
    │   │       ├── [1.4K]  interfaces.h
    │   │       ├── [ 125]  kernel_to_cil.h
    │   │       ├── [ 126]  kernel_to_conf.h
    │   │       ├── [2.6K]  module.h
    │   │       ├── [ 329]  module_to_cil.h
    │   │       ├── [2.7K]  node_record.h
    │   │       ├── [1.3K]  nodes.h
    │   │       ├── [4.0K]  policydb
    │   │       │   ├── [1.6K]  avrule_block.h
    │   │       │   ├── [4.6K]  avtab.h
    │   │       │   ├── [4.6K]  conditional.h
    │   │       │   ├── [2.5K]  constraint.h
    │   │       │   ├── [3.5K]  context.h
    │   │       │   ├── [3.5K]  ebitmap.h
    │   │       │   ├── [3.6K]  expand.h
    │   │       │   ├── [1.5K]  flask_types.h
    │   │       │   ├── [3.3K]  hashtab.h
    │   │       │   ├── [1.8K]  hierarchy.h
    │   │       │   ├── [ 517]  link.h
    │   │       │   ├── [5.0K]  mls_types.h
    │   │       │   ├── [1.5K]  module.h
    │   │       │   ├── [ 731]  polcaps.h
    │   │       │   ├── [ 26K]  policydb.h
    │   │       │   ├── [8.5K]  services.h
    │   │       │   ├── [1.9K]  sidtab.h
    │   │       │   ├── [1.1K]  symtab.h
    │   │       │   └── [1.5K]  util.h
    │   │       ├── [4.7K]  policydb.h
    │   │       ├── [2.0K]  port_record.h
    │   │       ├── [1.3K]  ports.h
    │   │       ├── [ 862]  sepol.h
    │   │       ├── [2.3K]  user_record.h
    │   │       └── [1.3K]  users.h
    │   ├── [ 26K]  LICENSE
    │   ├── [4.0K]  src
    │   │   ├── [ 16K]  assertion.c
    │   │   ├── [5.5K]  avrule_block.c
    │   │   ├── [ 15K]  avtab.c
    │   │   ├── [ 141]  boolean_internal.h
    │   │   ├── [3.1K]  boolean_record.c
    │   │   ├── [4.4K]  booleans.c
    │   │   ├── [ 20K]  conditional.c
    │   │   ├── [1.5K]  constraint.c
    │   │   ├── [8.1K]  context.c
    │   │   ├── [1.2K]  context.h
    │   │   ├── [ 140]  context_internal.h
    │   │   ├── [5.9K]  context_record.c
    │   │   ├── [1.6K]  debug.c
    │   │   ├── [2.3K]  debug.h
    │   │   ├── [ 12K]  ebitmap.c
    │   │   ├── [ 86K]  expand.c
    │   │   ├── [1.8K]  flask.h
    │   │   ├── [1.2K]  handle.c
    │   │   ├── [ 472]  handle.h
    │   │   ├── [5.3K]  hashtab.c
    │   │   ├── [ 17K]  hierarchy.c
    │   │   ├── [ 149]  ibendport_internal.h
    │   │   ├── [6.0K]  ibendport_record.c
    │   │   ├── [5.8K]  ibendports.c
    │   │   ├── [ 137]  ibpkey_internal.h
    │   │   ├── [7.7K]  ibpkey_record.c
    │   │   ├── [6.0K]  ibpkeys.c
    │   │   ├── [ 137]  iface_internal.h
    │   │   ├── [4.3K]  iface_record.c
    │   │   ├── [5.9K]  interfaces.c
    │   │   ├── [ 69K]  kernel_to_cil.c
    │   │   ├── [ 13K]  kernel_to_common.c
    │   │   ├── [3.0K]  kernel_to_common.h
    │   │   ├── [ 66K]  kernel_to_conf.c
    │   │   ├── [763K]  libsepol.a
    │   │   ├── [6.9K]  libsepol.map.in
    │   │   ├── [ 241]  libsepol.pc.in
    │   │   ├── [ 68K]  link.c
    │   │   ├── [2.9K]  Makefile
    │   │   ├── [ 18K]  mls.c
    │   │   ├── [2.4K]  mls.h
    │   │   ├── [ 23K]  module.c
    │   │   ├── [  27]  module_internal.h
    │   │   ├── [ 91K]  module_to_cil.c
    │   │   ├── [ 129]  node_internal.h
    │   │   ├── [ 12K]  node_record.c
    │   │   ├── [8.5K]  nodes.c
    │   │   ├── [ 11K]  optimize.c
    │   │   ├── [1011]  polcaps.c
    │   │   ├── [103K]  policydb.c
    │   │   ├── [2.1K]  policydb_convert.c
    │   │   ├── [ 162]  policydb_internal.h
    │   │   ├── [4.0K]  policydb_public.c
    │   │   ├── [ 35K]  policydb_validate.c
    │   │   ├── [ 204]  policydb_validate.h
    │   │   ├── [ 129]  port_internal.h
    │   │   ├── [4.7K]  port_record.c
    │   │   ├── [7.2K]  ports.c
    │   │   ├── [2.5K]  private.h
    │   │   ├── [ 55K]  services.c
    │   │   ├── [5.3K]  sidtab.c
    │   │   ├── [1.0K]  symtab.c
    │   │   ├── [ 129]  user_internal.h
    │   │   ├── [7.1K]  user_record.c
    │   │   ├── [8.6K]  users.c
    │   │   ├── [7.2K]  util.c
    │   │   └── [ 63K]  write.c
    │   └── [   4]  VERSION
    ├── [1.4K]  light_cond.c
    ├── [ 423]  light_cond.h
    ├── [1.5K]  Makefile
    ├── [8.1K]  root.c
    ├── [ 24K]  rw.c
    ├── [2.2K]  rw.h
    ├── [ 14K]  sepolicy.c
    ├── [2.1K]  sepolicy.h
    ├── [5.8K]  token_manager.c
    ├── [ 934]  token_manager.h
    ├── [4.8K]  uao.c
    ├── [ 261]  uao.h
    ├── [2.6K]  unix.c
    ├── [ 240]  unix.h
    ├── [2.2K]  util.c
    ├── [2.1K]  util.h
    └── [ 20K]  vuln.c

37 directories, 176 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.