Analyzing a Modern In-the-wild Android Exploit

In December 2022, Google's Threat Analysis Group discovered an exploit chain targeting Samsung Android devices. The exploit chain used a 0-day vulnerability in the ALSA compatibility layer, CVE-2023-0266, and a 0-day in the Mali GPU driver, CVE-2023-2608The exploit involved a race condition in the ALSA driver, which allowed for a heap spray technique using Mali GPU driver features. The attackers used the heap spray to gain control over the program counter and then exploited the CVE-2023-0266 vulnerability to achieve arbitrary read/write access in the kernel. The exploit also used the CVE-2023-26083 vulnerability to leak kernel address space information and defeat KASLR. The exploit chain was combined with a deterministic, highly reliable arbitrary read/write technique using the Linux kernel VFS subsystem. The exploit replaced the ashmem_misc.fops with a pointer to a fake file_operations struct, allowing control over file operations for files created by opening /dev/ashmem. This exploit was discovered in the wild in December 2022 and has since been patched.