James Loureiro and Alex Plaskett presented The Mate Escape - Huawei Pwn2Owning at Hacktivity 2018.
As memory corruption is becoming harder and harder and more mitigations are being added for these classes of vulnerabilities, an often overlooked class of vulnerabilities is often present. Logic bugs have some benefits and with a platform such as Android, the logic bug attack surface is massive. In the past two years mobile Pwn2Own’s MWR have used logic bugs to lead to the full compromise of both flagship Samsung and Huawei phones.
This talk described the processes which were used to rapidly find the types of bugs which had the potential to be used in a remote compromise chain against the Huawei Mate 9 Pro. The talk also discussed which key tools were advantageous in the process of locating vulnerabilities at scale across the handset. The vulnerabilities which were used within the competition were also discussed and techniques used for exploitation described.