• The "AVSS Contest 2024 International" is designed to target a diverse range of software and systems, with a particular emphasis on systems of mobile phones and V2X.

• The competition encompasses multiple challenge sets, each featuring distinct system environments that share common vulnerabilities.

• The primary objective is to evaluate participants' proficiency in exploiting these vulnerabilities across varying systems.

• KARTING: Challenge-response-based authentication and challenge is generated from a unique hardware ID. The interface is Implemented as a secret code from a dial number.

• VEE: Challenge-response-based authentication based on a hardcode key. The interface is Implemented as a DoIP server which needs to connect to the vehicle ethernet.

• ONE: Challenge-response-based authentication based on a unique key in each machine. The interface is Implemented as a DoIP server which needs to connect to the vehicle ethernet.

Just for indication, but not the same key

FORMULA_ONE

ONE has a similar environment and the same goal as VEE. It also requires players to change the identifierd09afrom 0 to 1.

But the key of authentication is not hardcode. The key is randomly generated and unique for each device and stored in TEE.

And the authentication has an anti bruteforce mechanism, if an invalid security access response is received, it needs about 10 seconds for the next try.

Just for indication, but not the same security level

So we think it is difficult to collide these 3-byte response values during the game and we don't have an expected solution for ONE. But it may have some memory corruption in the protocol stack.

05  KERNEL:INST

This challenge is about exploiting different privilege escalation vulnerabilities across different Android kernel versions. The challenge adds a syscall with two vulnerabilities and provides the patch file, requiring participants to escalate privileges to root from the adb shell in the emulator.

There are 4 functions in the syscall, namely,ADD, DELETE, EDIT, andRUN. ADDwill allocate aninst object with a function pointer inkmalloc-512slab and put it on the global list.DELETEwill remove an object from the list.EDITwill set the property of an object with the provided variable-length operands. RUN will traverse the list, execute the function pointer of the object, and then remove the whole list.

This challenge provides a backdoor function that will never be called. If you can call it in the kernel context, you can easily get to root.

noinline __int128 do_backdoor(__int128 input, __int128 *operands, unsigned long operand_num) {    struct cred *cred;    int ret;    cred = prepare_kernel_cred(NULL);  if (!cred) {        return -1;    }    ret = commit_creds(cred);    if (ret) {        return -1;    }    selinux_enforcing = 0;    return 0;}

The first vulnerability is an overflow in EDIT, which does not check theoperand_num properly. The size of theinstobject is 40 andMEM_SIZEis 512.round_up(472,16)equals 480, leading to an 8-byte-overflow inkmalloc-512.

if(_inst.operand_num > round_up(MEM_SIZE-sizeof(struct inst), sizeof(__int128))/sizeof(__int128))

The second vulnerability is a use-after-free inRUN. After executing all the function pointers, it willkfreeall the objects in the list, but it does not clear inst_head. WithEDIT, we can edit anything in a freedkmalloc-512 object, except the first 40 bytes.

list_for_each_entry_safe(curr, ptr, &inst_head->list, list) {    list_del(&curr->list);    kfree(curr);}kfree(inst_head);return 0;

KASLRis not enabled in the emulator, so no kernel address leak is needed.

Android 7

The kernel version of Android 7 is3.10.0and there is hardly any protection. Slab objects are allocated continuously in the memory, so 8-byte-overflow can overwrite the function pointer of the nextinstobject.

We can just use the overflow vulnerability to hijack the function pointer into the backdoor function and then useRUNto get to root

Android 11

The kernel version of Android 11 is 5.4.50, which enablesCONFIG_HARDENED_USERCOPY. This config will check the target object is fully in the slab object when callingcopy_*_user. So the overflow vulnerability is no longer exploitable any more.

This version also enableskCFIprotection, the backdoor function cannot be easily called by hijacking a function pointer.

To exploit theUAFvulnerability, we can spray some objects of kmalloc-512to take the place of theUAFobject and use the vulnerability to modify the data inside it.

pipe_bufferis a good object :

We can useF_SETPIPE_SZoption of the fcntl to adjustpipe_bufferto be allocated in kmalloc-512

Thepage variable inpipe_buffercan be utilized to achieve arbitrary read/write in physical memory.

Finally, we can traverse thetask_listto find the current task and set its uid, gid, etc. to zero. selinux_enforingshould also be cleared to disable SELinux.

Android 13

The kernel version of Android 11 is 5.15.78, which adds a new set ofkmalloc-cg-<n> (KMALLOC_CGROUP) caches for accounted objects only. The inst objects are allocated in normal caches, whilepipe_buffer objects are allocated in accounted objects. They are separated, thus spraying pipe_buffercannot easily reuse theUAFobject.

We can use the cross-cache attack to solve the problem. The main idea is to change the objectUAF into slab UAF:

Release all objects located in the slab(kmalloc-512) containing theUAFobject.

Return the slab into the buddy system.

Sprayingpipe_buffer to obtain it as a kmalloc-cg-512slab.

Exploiting theUAFvulnerability in the same way as in Android 11.

06 OLD-LOG

This challenge is based on the latest version (for Java 1.8) of the default Grails generated project and demonstrates the differences in exploiting the classic log4shell vulnerability across different versions of the Java runtime environment.

All four versions of the challenge have solutions! I hope to see everyone's creativity in finding different chains of exploitation, which is why I specifically used the default project and did not remove any dependencies unrelated to my own solution.

Java 1.8, 11, 17 and 21 are all LTS versions, so they are chosen.

v1.8 & v11

Both ldap and rmi can be used. Java module system(https://openjdk.org/projects/jigsaw/)  andencapsulated packages(https://cr.openjdk.org/~mr/jigsaw/jdk8-packages-strongly-encapsulated)protect (https://openjdk.org/jeps/396) was not introduced.

Some security researchers have found and shared many useful deserialization chains for Java 1.8. In this challenge, the most commonly used for v1.8 is Jackson as source and TemplatesImpl as sink. I think it is the obvious one since Grails depends on Spring Boot.

Note 1:

Tomcat's BeanFactory can't be used in this challenge because they removed forceString(https://github.com/apache/tomcat/commit/df7da6c29aace17c92fe47fe386ab14ece59b5d4) in 9.0.63.

Note 2:

Since 8u291, two vm properties are added:jdk.jndi.object.factoriesFilterand com.sun.jndi.ldap.object.trustSerialData. The latter property is default to true.

Since 8u311, the scope ofcom.sun.jndi.ldap.object.trustSerialDatais extended to javaReferenceAddress.

Note 3:

Java module system is introduced in Java 9, but strong encapsulation is relaxed by default due to migration, which means --illegal-access is default to permit.

v17

Two main differences: the first is that you can't use TemplatesImpl as the sink for the deserialization chain, and the second is that you can't use BadAttributeValueExpException to trigger Jackson's toString.

There are mainly two solutions: the first one is to utilize DataSourceFactory to trigger DataManager.getConnection,achieving RCE through the H2 JDBC Driver. The second one is to use GenericNamingResourcesFactory and SystemUtils to modify the org.apache.commons.collections.enableUnsafeSerialization property, and then RCE using the CC chain.

Note 1:

--illegal-accessis defaulted to deny on Java 16 and is removed on Java 17.

Note 2:

ThereadObject()method of BadAttributeValueExpException no longer callstoString(). It is patched by thiscommit(https://github.com/openjdk/jdk/commit/2d93a28447de4fa692a6282a0ba1e7d99c7c068b) (since Java 15?).

v21

Since Java 20, there are two patches related to JNDI and deserialization vulnerability:

JDK-8290367(https://bugs.openjdk.org/browse/JDK-8290367)：Default value of com.sun.jndi.ldap.object.trustSerialDatais changed to false.

JDK-8290368(https://bugs.openjdk.org/browse/JDK-8290368)：Add default ObjectFactoriesFilter for LDAP and RMI lookup in JNDI.

So, not only deserialization through JNDI lookup, but also Reference with ObjectFactory through JNDI or RMI, is unavailable for exploitation by default. There is only one viable path left, that is RMI lookup and deserialization gadgets.

My solution is hibernate → ExecutorTrackedRunnable → JFormattedTextField$FocusLostHandler → JFormattedTextField → DefaultFormatter → ClassPathXmlApplicationContext. If you use this chain, it is notable that serialVersionUID of some classes are different between Java 1.8 and Java 21. You can patch the serialVersionUID manually or run your tool on Java 21 with--add-opens. I think too many--add-opens are annoying for exploitation, so I write a simplelibrary magic.jms(https://github.com/ceclin/magic.jms), maybe helpful.