New Video from @BlackHatOfficialYT: Exploiting GPU Vulnerabilities on Smartphones

In this video, Shing, the manager of the Android Red Team, and Shiling, a security expert, discuss exploiting GPU vulnerabilities on smartphones. They focus on Qualcomm GPUs, particularly the Adreno GPUs, and explain how they discovered and exploited a vulnerability to gain root privileges from unprivileged applications. The Android Red Team's mission is to improve the security of Android and Pixel devices by simulating adversarial attacks on key Android components. They conduct offensive security research, examine designs and implementations, and develop proofs of concept to demonstrate the real impact of vulnerabilities. They also use development tools for static analysis and continuous fuzzing. GPUs are an interesting target for security researchers because unprivileged applications can access GPU drivers without special permissions. GPUs directly manipulate physical memory and have complex optimizations, making them vulnerable to bugs. Qualcomm is a major supplier of GPUs for smartphones, and its GPU drivers are constantly evolving, introducing new vulnerabilities. The team examined Qualcomm's security bulletins and discovered several vulnerabilities, including CVE-2024-23380. This vulnerability allows obtaining root privileges by exploiting a race condition in the GPU driver. They reported the vulnerability to Qualcomm, which released a patch in July 2024. Shiling explains the architecture of Adreno GPUs and new features introduced, such as the hardware scheduler and new memory structures. He describes how they discovered the vulnerability by analyzing the code and using fuzzing techniques. The vulnerability resides in the process of binding and unbinding memory objects, where a race condition allows access to freed physical memory pages. To exploit this vulnerability, they used a memory spraying technique to control physical memory pages and access kernel memory. They also described a method to bypass KASLR protections by modifying function pointers in memory structures. This method can be generalized to exploit other types of buffer overflow or race condition vulnerabilities. In conclusion, the team discusses the methodologies used to discover vulnerabilities, such as patch analysis and fuzzing. They also propose potential solutions to improve GPU driver security, such as adding an abstraction layer to sandbox GPU interfaces and using safe programming languages like Rust. For more details, watch the full video at the following address: https://www.youtube.com/watch?v=Wr1Gio6X-O0