Baseband exploitation in public originally focused on message decoding bugs in layer 3 (NAS and RRC) and more recently in layer 4 (traffic over IP). In this presentation we uncover a new area of exploration for remote baseband exploitation in layer 2. In the past, this part of cellular specifications has been overlooked due to its function and packet size limitations. However, a deeper dive uncovers possibilities that show up in both old and new standards. Importantly, this is a layer that is below the ciphering applied to cellular communications, providing an attack surface reachable not only with fake base stations but with direct MITM-ing of legitimate cell tower communications too. The presentation will describe the chain of vulnerabilities we have found and explain how to exploit them for remote code execution in the baseband of flagship Samsung smartphones. The new class of bugs meant new challenges both in developing and delivering an exploit. I will describe how we have modified radio software to inject a more complex sequence of malicious layer two traffic without the normal operation interfering with the execution of the attack. In addition, I will explain how we have created debugging and heap visualization tooling for the target, introduce the heap shaping techniques we have come up with in order to write a reliable exploit, and discuss creating baseband exploits that take into consideration the huge fragmentation of firmware variants in-the-wild.
公共基带利用最初集中在第 3 层(NAS 和 RRC)中的消息解码错误,最近在第 4 层(IP 流量)中。在本次演讲中,我们揭示了第 2 层远程基带开发的新探索领域。过去,由于其功能和数据包大小的限制,蜂窝规范的这一部分一直被忽视。然而,更深入的探索揭示了新旧标准中出现的可能性。重要的是,这是应用于蜂窝通信的加密之下的一层,提供了一个攻击面,不仅可以通过假基站访问,还可以通过合法手机信号塔通信的直接MITM访问。该演示文稿将描述我们发现的漏洞链,并解释如何利用它们在三星旗舰智能手机的基带中远程执行代码。新一类错误意味着在开发和提供漏洞利用方面都面临新的挑战。我将描述我们如何修改无线电软件,以注入更复杂的恶意第二层流量序列,而不会干扰攻击的执行。此外,我将解释我们如何为目标创建调试和堆可视化工具,介绍我们提出的堆整形技术,以便编写可靠的漏洞利用,并讨论创建基带漏洞利用,以考虑固件变体的巨大碎片。
原文始发于Daniel Komaromy :There Will Be Bugs: Exploiting Basebands in Radio Layer Two
转载请注明:There Will Be Bugs: Exploiting Basebands in Radio Layer Two | CTF导航