Author: Moshe Kol
Privilege escalation exploit from unstrusted_app
for Android Binder vulnerability (CVE-2022-20421). The vulnerability is patched on Android's Security Bulletin of October 2022. The exploit works on devices running kernel versions 5.4.x and 5.10.x, and it achieves full kernel R/W primitives. For the Google Pixel 6, it also obtains full root and SELinux bypass.
You can find the full write-up here.
- Compile the
libbadspin.so
library by typingmake push
in thesrc/
directory. This will also push the library to/data/local/tmp
. - Run
adb shell
. - Run
LD_PRELOAD=/data/local/tmp/libbadspin.so sleep 1
. This will load the library and start the exploit.
- Compile
libbadspin.so
by typingmake push
in thesrc/
directory. This will copy the library to theassets
directory for the demo Android app. - Compile the demo Android app in the
app/
directory. (You might need Android Studio to do this.) - Run the app and click on the "Exploit" button.
- Consume logs using:
adb logcat -s BADSPIN
You can pass the following variables to make
:
VERBOSE=1
to increase verbosity.TEST_VULN=1
to test the vulnerability without proceeding with the exploit.
$ make list
0: Samsung Galaxy S22, Android 12 (6/2022), kernel 5.10.81
1: Samsung Galaxy S21 Ultra, Android 12 (3/2022), kernel 5.4.129
2: Google Pixel 6, Android 12 (5/2022), kernel 5.10.66
3: Google Pixel 6, Android 13 (9/2022), kernel 5.10.107
It is not difficult to adapt the exploit and support a new device.
-
Make sure your new device runs on kernel version 5.4.x or 5.10.x, and that its Android's security patch level is below October 2022.
-
Add your device properties to
dev_config.h
. -
Specify two function pointers:
kimg_to_lm()
: Converts a kernel image virtual pointer to the linear mapping.find_kbase()
: Finding the kernel base address from ananon_pipe_buf_ops
leaked pointer.
You may use the already provided functions for this. (If your vendor is not Samsung and you're not sure, use the same functions as for the Pixel 6.)
-
Compile and run.
If it works for you, please submit a pull request.
- The phone might crash on unsuccessful attempts.
- The exploit is unstable in the first few minutes after boot.
- Only works on kernel versions 5.4.x and 5.10.x.
- Only achieves kernel R/W on non-Pixel devices.