在大多数用户的印象里,GPU(图形处理器)是游戏流畅、视频绚丽的保障,是沉浸在虚拟世界背后的无名英雄。然而,在现代移动计算架构,尤其是在安卓生态中,GPU的角色早已超越了“图形画师”的范畴。它通过诸如OpenCL、Vulkan等通用计算框架,深度参与到机器学习、图像处理、甚至安全计算等关键任务中,成为了SoC(系统级芯片)中与CPU平起平坐的“第二颗大脑”。
正是这种权限与复杂性的与日俱增,使其成为了安全攻防的新前线。传统的安全模型高度聚焦于加固CPU和操作系统内核,却往往忽视了GPU这个拥有独立驱动、固件(Firmware)和强大DMA(直接内存访问)能力的“特权邻居”。一旦这个邻居的“家门”被撬开,攻击者获得的将是一个绕过所有主流内核防护机制的绝佳跳板。
在一个多月前,Linux 内核中的 Netfilter 模块下针对 nft_tunnel 中存在的一处越界写漏洞补丁被提交到内核主线,该漏洞被分配为 CVE-2025-22056,本篇文章旨在通过利用该漏洞对内核实现提权,同时该漏洞影响 Linux Kernel Version5.7-6.14 所有版本,由于在 Ubuntu 中该模块被添加为默认配置,因此该漏洞对于未打补丁的 Ubuntu 系统仍然能够有效提权。
当人们谈论“手机隐私”时,往往默认指的是是否授权摄像头、麦克风、定位。但在实际的移动互联网生态中,真正决定一个用户是否“可被识别”的,不是这些高敏感权限,而是藏于设备系统、网络协议、以及广告SDK背后的那些身份锚点。
在讲述漏洞之前, 让我们设想这样一个场景: 你有一座设有严密防御的城堡,城墙高大坚固,把敌人挡在外面。你的城堡有唯一的入口,那就是一个重门深锁、有严格守卫检查的大门。然后,为了增加便利性,你决定在城堡的另一侧增加一个小门,方便城堡内的人快速出入。然而,你在增加这个新功能后,忘记了对这个小门进行同样严格的防御和检查。这就相当于在你的城堡的防线上留下了一个大漏洞。敌人可以绕过主门的严格检查,通过这个没有守卫的小门轻易进入城堡。
本次要讲述的漏洞CVE-2024-4761就是城堡的小门: 随着v8中wasm模块的蓬勃发展, 添加了许多新类型的对象, 这些新类型对于旧有的代码提出了源源不断的挑战, 导致旧有代码遗漏了某些检查.
本文着重于漏洞分析, 尝试从patch开始一步步构建出POC.
GPU是终端设备负责图形化渲染的硬件,和CPU相比,它能更高效地并行计算。传统的PC端GPU可以通过PCIe接口在主板上热插拔,而在移动端,GPU往往和CPU集成在一块芯片上,再搭配负责网络通信的基带等配件,统一称为SoC。目前移动端市场占有率比较高的SoC有高通的骁龙系列处理器、联发科天玑系列处理器、华为海思处理器等。这些SoC的CPU部分都有统一规范的arm指令集,这保证了一套程序只需编译一次,在不同厂商的CPU上都能正确运行。但是这些厂商的GPU指令集却非常封闭,甚至有些没有公开的文档,每家厂商在自己的标准上发展了自己的生态,试图构建商业护城河。作为开发者如果需要根据每个硬件厂商定制不同的GPU操作逻辑,想必是一件非常复杂的事情,而事实上的安卓开发者,大多数情况下并不需要接和GPU进行交互,我们在绘制一个窗口、展示一张图片时,是通过调用安卓系统封装的统一接口实现。那安卓又是如何保证这么多硬件兼容性的呢?
This article analyzes the cause of CVE-2024-31317, an Android user-mode universal vulnerability, and shares our exploitation research and methods. Through this vulnerability, we can obtain code-execution for any uid, similar to breaking through the Android sandbox to gain permissions for any app. This vulnerability has effects similar to the Mystique vulnerability discovered by the author years ago (which won the Pwnie Award for Best Privilege Escalation Bug), but each has its own merits.
v8_feedback_normalization_非默认配置RCE漏洞分析与利用
The Android Application Sandbox is the cornerstone of the Android Security Model, which protects and isolates each application’s process and data from the others. Attackers usually need kernel vulnerabilities to escape the sandbox, which by themselves proved to be quite rare and difficult due to emerging mitigation and attack surfaces tightened.
However, we found a vulnerability in the Android 11 stable that breaks the dam purely from userspace. Combined with other 0days we discovered in major Android vendors forming a chain, a malicious zero permission attacker app can totally bypass the Android Application Sandbox, owning any other applications such as Facebook and WhatsApp, reading application data, injecting code or even trojanize the application ( including unprivileged and privileged ones ) without user awareness. We named the chain “Mystique” after the famous Marvel Comics character due to the similar ability it possesses.
In this talk we will give a detailed walk through on the whole vulnerability chain and bugs included. On the attack side, we will discuss the bugs in detail and share our exploitation method and framework that enables privilege escalation, transparently process injection/hooking/debugging and data extraction for various target applications based on Mystique, which has never been talked about before. On the defense side, we will release a detection SDK/tool for app developers and end users since this new type of attack differs from previous ones, which largely evade traditional analysis.