Scribd
Upload
10 views72 pages

One Sms To Root Them All

The document presents a detailed analysis of firmware (FW) and MIDlet security vulnerabilities in modems, highlighting various CVEs and their implications. It discusses the extraction of firmware, security assumptions, and specific vulnerabilities such as heap overflow and improper privilege management. The authors conclude with mitigation guidelines and a list of identified CVEs, emphasizing the need for improved security measures in firmware distribution and management.

Uploaded by

Zan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
10 views72 pages

One Sms To Root Them All

The document presents a detailed analysis of firmware (FW) and MIDlet security vulnerabilities in modems, highlighting various CVEs and their implications. It discusses the extraction of firmware, security assumptions, and specific vulnerabilities such as heap overflow and improper privilege management. The authors conclude with mitigation guidelines and a list of identified CVEs, emphasizing the need for improved security measures in firmware distribution and management.

Uploaded by

Zan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 72

One SMS to

Root Them All


Alexander Kozlov @N0um3n0n
Sergey Anufrienko @madprogrammer

Kaspersky ICS CERT


Agenda

Introduction MIDlet security analysis Conclusions

FW extraction FW security
analysis
3
3

I. Introduction

II. FW extraction

III. MIDlet security analysis

IV. FW security analysis

V. Conclusions
Our Team
Alexander Kozlov

• Principal security researcher at Kaspersky


ICS CERT

• Has more than 10 years of experience in


reverse engineering of hardware, low-level
firmware, and system software. Also has @N0um3n0n
professional experience in cryptography.

• As a Senior Lecturer shares knowledge


with students for more than 8 years
Our Team
Sergey Anufrienko

• Technology enthusiast and musician,


boasting over two decades of experience
in software engineering, tinkering with
hardware and reverse engineering

@madprogrammer
Areas of application
Previous Research
What a modem is about?
Application types Code privileges
• Firmware (FW)
• Application (App) • Manufacturer
• Java Remote Control (JRC) • User signed / unsigned
• Service LWM2M Agent (SLAE)
Security Assumptions:MIDlets
Confidentiality Integrity
• it is impossible to determine
the path to where MIDlets are • digital signature
stored
• it is impossible to bypass the
restrictions preventing reading
of files with .jar extension
Security Assumptions: FW
Confidentiality Integrity

Distributing OS updates only to registered customers and


only in encrypted form
11
11

I. Introduction

II. FW extraction

III. MIDlet security analysis

IV. FW security analysis

V. Conclusions
HW Analysis
HW Analysis

DO NOT USE?
REALLY?
Our own PCB
• LGA re-soldering

• JTAG pins for debug

• AT console
JTAG
• IDCODE: 0x101E3083

• No information about
architecture

• Blackbox fuzzer didn’t


find too much
Reading the NAND
• No NAND FS stuff

• No crypto

• Defeat errors with multiple


readings
What NAND memory is about?
NAND Translation Analysis
• SA after every single sector

• Sector size is 0x200

• What if we look at SA only?


NAND Translation Analysis
• Clear LBN and LSN

• LPN can be dropped

• Linear structure
UFS Reconstruction
• Only few blocks have data
• Found blocks with UFS
and modem FW
FS Reconstruction
22
22

I. Introduction

II. FW extraction

III. MIDlet security analysis

IV. FW security analysis

V. Conclusions
MIDlets and Modem FS
• Java ME (Micro Edition) Files from UFS:
• JAR file with Java code • Deleted after installation
• JAD file with settings • Copied to hidden place
MIDlets and Modem FS
Hidden FS: 4 files
• .ss – MIDlet permissions
• .ii - service information
• .ap - JAD
• .jar – MIDlet Java code
Hidden FS: 4 files
• .ss – MIDlet permissions
• .ii - service information
• .ap - JAD
• .jar – MIDlet Java code

NO CERTIFICATE CHECK AFTER INSTALLATION!


(CVE-2023-47611)
Hidden FS: 4 files
• .ss – MIDlet permissions
• .ii - service information
• .ap - JAD
• .jar – MIDlet Java code
Hidden FS: 4 files
• .ss – MIDlet permissions
• .ii - service information
• .ap - JAD
• .jar – MIDlet Java code
Custom static method: CVE-2023-47615
• Any MIDlet is allowed to call

• Returns a list of all environment


variables

• Leaks HIDDEN VERY SECURE


paths
FTP client: CVE-2023-47612
• Only privileged MIDlets
can R/W the entire UFS

• FTP code is in JRC

• FTP is accessible via AT


commands by any user
Native path traversal: CVE-2023-47613
• A:/ is a UFS root
• B:/ is a hidden UFS root

• Connector.open("file:///root:/PATH")

• First checks for “../” and


only then converts the
escape sequence to
ASCII
Demo: Obtaining vendor-level
privileges
1. Install user MIDlet
2. Run user MIDlet the first time
3. Exploit native path traversal
4. Run MIDlet the second time
5. Profit ☺
33
33

I. Introduction

II. FW extraction

III. MIDlet security analysis

IV. FW security analysis

V. Conclusions
AT Commands
AT Commands
• User console is enough • Vendor AT-commands

• Need a corpus • General AT-commands


AT Commands
• So many general AT-commands

• Most of them have description

• …and a descriptor
AT Commands
Vendor-specific AT Commands

• Many vendor commands

• With description and


descriptors again

• Some of them are for


testing only
Vendor-specific AT Commands
• Many vendor commands

• With description and


descriptors again

• And some of them are


very nice
Vendor-specific AT Commands
• Some of them work fine
Vendor-specific AT Commands
• Some of them work fine

• …but some don’t 


Vendor-specific AT Commands
• Some of them work fine

• …but some don’t 

• We need the SEC key for


them to work… or not? ☺
Vendor-specific AT Commands
• More AT functions
Vendor-specific AT Commands
• More AT functions

• In release FW!
Vendor-specific AT Commands

But there are other checks


Fuzzing Setup
• Got data about all AT
commands from FW dump

• Crafted a fuzzing stand

• And waited…
AT command heap overflow
• Static buffer size

• User-controlled copy size

• Classic heap overflow


SUPL
Heap Overflow
SUPL Heap Overflow: overview
SUPL Heap Overflow: overview
SUPL Heap Overflow: overview
SUPL Heap Overflow: overview
• Two different vars for one
purpose

• No checks about
coherence

• Classic heap overflow…


again
SUPL Heap Overflow: overview
• Corrupt next chunk
header

• Every single time

• Why?! OS and heap


manager is so nice
SUPL Heap Overflow: read primitive
• R0 = *(Address from SMS)

• Read R0 via AT+XLOG=0


Read Primitive

150 Mb/s

1,5 Mb/s

0,88 b/s
Read Primitive
SUPL Heap Overflow: write primitive
• Heap structure is too
primitive

• One pool, many threads

• free() can be exploited to


perform an arbitrary write
SUPL Heap Overflow: write primitive
SUPL Heap Overflow: write primitive
Demo: Unlocking Vendor AT Commands
• Send SUPL SMS to create some
internal structures

• Trick free() function to malloc() a


blob for our fake thread

• Overwrite current user level


Unlocking Vendor AT Commands
• Now we can read memory…

• ….write memory

• …and bypass SEC key security ☺


Finding Code Execution Primitive
• Code section is read only

• But some code executes


dynamically from RAM

• Got code execution in process


manager's context
Unlock Code Section
• Find MMU mapping

• Setup RO sections as R\W

• So much unmapped
physical memory!
Modem OTAP
• Not activated by default

• Activation is local only

• Operated via SMS


Hidden FS: Otap_AtParams
• Created only upon AT
command execution

• No file => no OTAP 

• Has file => Has OTAP! ☺


SMS FS
• Inject into SMS Process

• Patch handler to retrieve


out sms first

• Got our own hidden data


channel into modem OS
SMS FS
• Create remote API via
SMS

• RE some needed funcs

• Add our FS driver to the


system’s ones
OTAP Activation via SMS
• SUPL SMS Heap Overflow
• Get code execution in process
manager's context
• Unlock code section via MMU
• Patch Operate SMS Process
• Upload new SMS FS driver
• Create OTAP_AtParams
• Send OTAP SMS
• Install our MIDlet
69
69

I. Introduction

II. FW extraction

III. MIDlet security analysis

IV. FW security analysis

V. Conclusions
Mitigation guidelines
• Need FW cryptography
• No flat memory model
• OTAP needs verification
• Only telecommunication
operator can help with a working
mitigation
Resulting CVE list
CVE ID CVSS Score Description
CVE-2023-47610 8.1 (High) CWE-120: Buffer Copy without Checking Size of Input
CVE-2023-47611 7.8 (High) CWE-269: Improper Privilege Management
CVE-2023-47612 6.8 (Medium) CWE-552: Files or Directories Accessible to External Parties
CVE-2023-47613 4.4 (Medium) CWE-23: Relative Path Traversal
CVE-2023-47614 3.3 (Low) CWE-200: Exposure of Sensitive Information to an
Unauthorized Actor
CVE-2023-47615 3.3 (Low) CWE-526: Exposure of Sensitive Information Through
Environmental Variables

Check out our full technical paper at


https://ics-cert.kaspersky.com
72

Questions?

Alexander Kozlov Kaspersky ICS CERT


[email protected] https://ics-cert.kaspersky.com

Sergey Anufrienko
[email protected]

You might also like