A bug collision tale

The inside story of our CVE-2019-2025 exploit


This talk will be about a Binder vulnerability that was first disclosed to Google by the Qihoo 360 C0RE Team, but also found by Jann Horn (who else?) and ourselves before it was fixed. The vulnerability was assigned CVE-2019-2025 and the Qihoo 360 guys named it "Waterdrop".

We found this and another recently fixed bug in the Binder driver in mid-September 2018. We spent a considerable amount of time developing reliable exploits for the Google Pixel 3 and Galaxy S9 handsets during the fall of 2018. Soon after we were finished, we realized the bug had "just" been fixed upstream and it was only a matter of time until the fix would make it to Android.

In this talk we'll give insight on the emotional roller-coaster of developing a reliable exploit for this bug, the issues we faced and the techniques we used to solve them.

We'll describe how our exploit achieves read/write access to the kernel in spite of all mitigations present (PXN/PAN, CFI, and additionally the RKP hypervisor in Samsung phones) and escalates to root.

Finally, we'll compare our approach to that of Qihoo 360 and learn some lessons from that.


The slides we presented at OffensiveCon 2020 can be found below:


Eloi Sanfelix (slides and exploit), Jordan Gruskovnjak (exploit)