# Android Kernel Exploitation Lab This lab guides you through setting up an environment to explore CVE-2019-2215, a critical Android kernel vulnerability in the binder subsystem. ## Documentation - [Environment Setup](documentation/environment_setup.md) - [Kernel privesc with gdb script](documentation/kernel_privesc_with_gdb_scripts.md) - [Fuzzing with syzkaller](documentation/fuzzing_with_syzkaller.md) - [Fuzzing with AFL++](documentation/fuzzing_with_afl++.md) ### Technical Details: CVE-2019-2215 This vulnerability is a use-after-free in the Android binder driver with the following characteristics: 1. **Root Cause**: When a binder fd is added to an epoll instance and then the thread exits, the binder_thread object is freed while still accessible through epoll. 2. **Exploitation Path**: - Add a binder file descriptor to an epoll instance - Call BINDER_THREAD_EXIT ioctl which frees binder_thread - Access the freed binder_thread through epoll - This leads to a use-after-free condition exploitable for privilege escalation 3. **Impact**: This vulnerability affects Android 8.x, 9.0, and early versions of 10, potentially allowing local privilege escalation to root. 4. **Further Reading**: - [Original report on Project Zero](https://bugs.chromium.org/p/project-zero/issues/detail?id=1942) - [Patch in Android kernel](https://android.googlesource.com/kernel/common/+/b77915bc0d4536a18d3f8d2d5a4d3770658bbc38) ## TODO This lab is a work in progress. Here are planned improvements: ### Short-term Improvements - [ ] Fix Syzkaller configuration to properly target Android-specific syscalls - [ ] Fix this Syzkaller issue ```bash [ 3.030651] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x2868278d270, max_idle_ns: 440795290098 ns [ 4.040338] clocksource: Switched to clocksource tsc 2025/03/24 21:04:23 running ssh: []string{"-p", "13199", "-F", "/dev/null", "-o", "UserKnownHostsFile=/dev/null", "-o", "IdentitiesOnly=yes", "-o", "BatchMode=yes", "-o", "StrictHostKeyChecking=no", "-o", "ConnectTimeout=10", "-i", "/home/0xbinder/android-kernel-exploitation-lab/bullseye.id_rsa", "-v", "root@localhost", "pwd"} 2025/03/24 21:04:33 ssh failed: failed to run ["ssh" "-p" "13199" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "IdentitiesOnly=yes" "-o" "BatchMode=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/home/0xbinder/android-kernel-exploitation-lab/bullseye.id_rsa" "-v" "root@localhost" "pwd"]: exit status 255 OpenSSH_9.9p2, OpenSSL 3.4.1 11 Feb 2025 debug1: Reading configuration data /dev/null debug1: Connecting to localhost [::1] port 13199. debug1: connect to address ::1 port 13199: Connection refused debug1: Connecting to localhost [127.0.0.1] port 13199. debug1: fd 3 clearing O_NONBLOCK debug1: Connection established. debug1: identity file /home/0xbinder/android-kernel-exploitation-lab/bullseye.id_rsa type 0 debug1: identity file /home/0xbinder/android-kernel-exploitation-lab/bullseye.id_rsa-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_9.9 Connection timed out during banner exchange Connection to 127.0.0.1 port 13199 timed out ``` - [ ] Add detailed instructions for analyzing crash reports - [ ] Include a simple exploit template for CVE-2019-2215 - [ ] Document proper kernel config settings for QEMU VM boot compatibility ### Future Enhancements - [ ] Add support for other Android kernel vulnerabilities - [ ] Create a Docker container for easier setup - [ ] Add more comprehensive debugging guides with GDB examples - [ ] Implement a step-by-step guide for developing a full privilege escalation exploit - [ ] Support for ARM64 architecture in addition to x86_64 ### Known Issues ```bash [ 3.030651] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x2868278d270, max_idle_ns: 440795290098 ns [ 4.040338] clocksource: Switched to clocksource tsc 2025/03/24 21:04:23 running ssh: []string{"-p", "13199", "-F", "/dev/null", "-o", "UserKnownHostsFile=/dev/null", "-o", "IdentitiesOnly=yes", "-o", "BatchMode=yes", "-o", "StrictHostKeyChecking=no", "-o", "ConnectTimeout=10", "-i", "/home/0xbinder/android-kernel-exploitation-lab/bullseye.id_rsa", "-v", "root@localhost", "pwd"} 2025/03/24 21:04:33 ssh failed: failed to run ["ssh" "-p" "13199" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "IdentitiesOnly=yes" "-o" "BatchMode=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/home/0xbinder/android-kernel-exploitation-lab/bullseye.id_rsa" "-v" "root@localhost" "pwd"]: exit status 255 OpenSSH_9.9p2, OpenSSL 3.4.1 11 Feb 2025 debug1: Reading configuration data /dev/null debug1: Connecting to localhost [::1] port 13199. debug1: connect to address ::1 port 13199: Connection refused debug1: Connecting to localhost [127.0.0.1] port 13199. debug1: fd 3 clearing O_NONBLOCK debug1: Connection established. debug1: identity file /home/0xbinder/android-kernel-exploitation-lab/bullseye.id_rsa type 0 debug1: identity file /home/0xbinder/android-kernel-exploitation-lab/bullseye.id_rsa-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_9.9 Connection timed out during banner exchange Connection to 127.0.0.1 port 13199 timed out ``` ### Community Contributions If you're interested in contributing to this project, please consider addressing any of the items above or submit your own ideas through a pull request. #### Help particularly looking for help with: 1. Fixing the known issues 2. Improving QEMU configuration for better compatibility with the Android kernel 3. Creating a reliable fuzzing setup that works across different Linux distributions If you have expertise in these areas, your contributions would be greatly appreciated!