Android Security Ecosystem Investments Pay Dividends for Pixel
http://security.googleblog.com/2018/01/android-security-ecosystem-investments.html [security.googleblog.com]
2018-01-18 19:38
This blog post covers the technical details of the exploit chain. The exploit chain includes two bugs, CVE-2017-5116 and CVE-2017-14904. CVE-2017-5116 is a V8 engine bug that is used to get remote code execution in sandboxed Chrome render process. CVE-2017-14904 is a bug in Android’s libgralloc module that is used to escape from Chrome’s sandbox. Together, this exploit chain can be used to inject arbitrary code into system_server by accessing a malicious URL in Chrome.