Android Dalvik, Inside OAT, Inside ELF UPD
Checked Nexus 6P device & system applications have oat folder but inside odex file is present. I was expecting corresponding oat files similar to boot.oatAs far as I know odex is just optimized dex used from dalvik's time using dexopt tool.
Android Dalvik, Inside OAT, Inside ELF
The first case is not really interesting to us, but the second one is. The unzip operation is done usingthe standard ZipInputStream class, and it's a well known issue  that if no validation is doneon the filenames inside the archive, a directory traversal can be performed.The vulnerability is similar to the one reported by @fuzion24 in the samsung keyboard update mechanism .
Now, how to get a code execution? When you have the capability to write data anywhere you wantas system user, the typical solution is to overwrite some files inside the dalvik-cache.On Android 5, the dalvikvm is not used anymore, as it has been replaced by the ART runtime. In the sameway as ODEX files, OAT files are generated from an .apk via by the package manager by invoking dex2oatand the resulting files are written to the /data/dalvik-cache/ directory (with .dex extension).Though, we can still use this method to get code execution.
That demonstrates that we managed to get code execution for this vulnerability by overwritting an existing file in the dalvik-cache.Of course, this is not optimal because we need to craft the right OAT file, which is unfortunately device and even ROM specific.An easier and more reliable way to exploit this vulnerability would be to do it with multiple stages. First, we need to getcode execution on the device as a less privileged user, and focusing on reliability (i.e, without overwriting something inside thedalvik-cache). Then, we can use your unprivileged access to the system to build a compatible OAT file for AccessControl.apk,using tools like dex2oat directly on the device, and finally build a cred[something].zip ZIP file on the SDCard to writeyour custom OAT file inside the dalvik-cache and achieve code execution as system.
Essentially, this is because existing Dalvik Executable (DEX) files coexist in the Optimized Ahead-of-Time (OAT) file , which is the ART executable file, and these DEX and compiled machine codes have one-to-one mapping relationships. For this reason, if it can be artificially manipulated to call the DEX file inside the OAT, the vulnerability of the existing Dalvik VM can be exploited as-is in ART. Therefore, in this paper, we propose a scheme to overcome this vulnerability by eliminating the one-to-one mapping relationship between bytecode and machine code and exposing the disguised bytecode to confuse analysts.
Below is an example. Records are grouped into 4 sample entries, each entry is a row. There are several columns, each column showing piece of information belong to a sample entry. The first column is Overhead, which shows the percentage of events inside current sample entry in total event count. As the perf event is cpu-cycles, the overhead can be seen as the percentage of cpu time used in each function.
The report above shows samples hitting different places inside function checkValid(). By using objdump to disassemble libsudo-game-jni.so, we can find which are the hottest instructions in checkValid() function.