In our previous blog post, we have introduced our latest research into full chain baseband exploits. We have showcased new research tools (our nanoMIPS decompiler, debugger, and emulator for Mediatek basebands) and explored the interconnected components across the Cellular Processor and the Application Processor of Samsung and Mediatek radio interface stacks.
The most serious of vulnerabilities in these interfaces can lead to over-the-air exploitation of the device: zero-click remote code execution not only in the baseband, but in the Android runtime as well.
It’s no secret that baseband full-chains of this kind have existed privately and been used In-The-Wild, as recently documented by the “Predator Files” disclosures, for example.
All told, we have found 17+ vulnerabilities (16 original CVEs received from Samsung and Mediatek following our reports). Taken together, the most critical indeed lead to over-the-air exploitation of Android!
In this series, we provide details of the baseband and baseband-to-AP pivot vulnerabilities, exploitable for remote code execution, chained together at the same time.
Last month, I was finally able to present some of the details of our work at the Hardwear.io conference in Basebanheimer: Now I Am Become Death, the Destroyer of Chains.
In this post (Part 1), we publish the presentation material from Hardwear.io (slides, video), our new TASZK advisories with vulnerability details for 11 out of the 17 vulnerabilities, and a video demonstration of a Samsung Baseband exploit in action.
Additional posts in this series:
Impact
According to Google, the first effort for applying exploit mitigations to baseband firmwares dates back to 2022:
While that claim may be arguable, it’s certainly the case that competing chipset manufacturers don’t always publicize their own baseband exploit mitigation engineering efforts. So, in and of itself, I think that such publication is great and I wish more vendors did the same. Either way, whether it was Qualcomm in ~2012, Infineon in ~2018, Huawei in ~2019, Samsung in ~2019, Mediatek in ~2022, or indeed Google in 2022-2023, it’s clear that vendors have definitely started working on baseband exploit mitigations.
With that in mind, we have to analyze the exploitability of individual CVEs if we want to understand their true impact.
Ideally, we could rely on the vendor for this, but sometimes the impact/severity assigned in bulletins is not quite accurate. For example, the Samsung Security Update describes the impact of CVE-2023-41111 and CVE-2023-41112 as “can cause abnormal termination of a phone”.
The rest of this series covers exploitability analysis:
- Part 2 describes the heap implementation changes Mediatek made from Helio to Dimensity and analyzes the exploitability of the Mediatek Baseband RCE vulnerability
CVE-2022-21744using metadata attacks in light of these changes. - Part 3 explains how to exploit the Mediatek Baseband Pivot vulnerability
CVE-2022-21765for remote code execution in the Linux Kernel on Dimensity. - The upcoming Part 4 will include the advisories for
CVE-2023-41111andCVE-2023-41112and introduce new baseband heap exploit techniques we have developed for targeting Baseband RCE vulnerabilities likeCVE-2023-41111,CVE-2023-41112,CVE-2023-21517, andCVE-2022-21744. Most importantly, it will describe the fully realized Samsung Baseband RCE of our chain. - Finally, in Part 5 we will be publishing our advisories for the Samsung Baseband Pivot vulnerabilities
CVE-2023-42529,CVE-2023-42528,CVE-2023-42527, andCVE-2023-30739and discuss their successful exploitation.
If you prefer to skip ahead, check out our Samsung baseband exploit demo video at the end of this post!
Advisories
For vulnerability details, disclosure timelines, and the lists of affected devices, see the individual advisories below:
| Title | Vendor | CVE | Access Vector | TASZK Advisory | Vendor Bulletin |
|---|---|---|---|---|---|
| LTE NAS Heap Buffer Overflow | Samsung | CVE-2023-21517 | Remote | https://labs.taszk.io/blog/post/85_ss_esm_bof/ | June23 |
| RIL IPC SIM Heap Buffer Overflow | Samsung | CVE-2023-30649 | Pivot | https://labs.taszk.io/blog/post/86_ss_sipc_heap_bof_1/ | July23 |
| RIL IPC PhoneBook Heap Buffer Overflow | Samsung | CVE-2023-30647 | Pivot | https://labs.taszk.io/blog/post/87_ss_sipc_heap_bof_2/ | July23 |
| RIL IPC SMS Heap Buffer Overflow | Samsung | CVE-2023-30646 | Pivot | https://labs.taszk.io/blog/post/88_ss_sipc_heap_bof_3/ | July23 |
| RIL IPC SMS Heap Buffer Overflow | Samsung | CVE-2023-30645 | Pivot | https://labs.taszk.io/blog/post/89_ss_sipc_heap_bof_4/ | July23 |
| RIL IPC IMEI Stack Buffer Overflow | Samsung | CVE-2023-30647 | Pivot | https://labs.taszk.io/blog/post/90_ss_sipc_stack_bof_1/ | July23 |
| RIL IPC SMS Stack Buffer Overflow | Samsung | CVE-2023-30648 | Pivot | https://labs.taszk.io/blog/post/91_ss_sipc_stack_bof_2/ | July23 |
| RLC Control Heap Buffer Overflow | Mediatek | CVE-2022-21744 | Remote | https://labs.taszk.io/blog/post/84_mtk_pncd_bof/ | July22 |
| CCCI Driver Stack Buffer Overflow | Mediatek | CVE-2022-21766 | Pivot | https://labs.taszk.io/blog/post/83_mtk_ccci3_bof/ | July22 |
| CCCI Driver OOB Write | Mediatek | CVE-2022-21765 | Pivot | https://labs.taszk.io/blog/post/81_mtk_ccci1_oob_write/ | July22 |
| CCCI Driver OOB Read | Mediatek | CVE-2022-21769 | Pivot | https://labs.taszk.io/blog/post/82_mtk_ccci2_oob_read/ | July22 |
Upcoming Advisories
As described in the talk, I had to skip additional vulnerabilities at Hardwear.io because the chain of baseband+pivot vulnerabilities in question that we have reported to Samsung in April was still unfixed.
With impacable timing, the missing patches have been released by Samsung 4 days after the conference.
These baseband and Android CVEs can now be found in the November 2023 Samsung Semiconductor Security Update and Samsung Mobile Security Update, respectively.
| Title | Vendor | CVE | Access Vector | TASZK Advisory | Vendor Bulletin |
|---|---|---|---|---|---|
| RLC Buffer Overflow | Samsung | CVE-2023-41111 | Remote | n/a | Nov23 |
| RLC Buffer Overflow | Samsung | CVE-2023-41112 | Remote | n/a | Nov23 |
| RIL Heap Buffer Overflow | Samsung | CVE-2023-30644 | Pivot | n/a | Nov23 |
| RIL OOB Write | Samsung | CVE-2023-42529 | Pivot | n/a | Nov23 |
| RIL Improper Input Validation | Samsung | CVE-2023-42527 | Pivot | n/a | Nov23 |
| RIL Arbitrary File Descriptor Write | Samsung | CVE-2023-30739 | Pivot | n/a | Nov23 |
Although the Security Updates have now been released, we also take into consideration the fact that Samsung applies monthly updates only to a subset of their supported devices, others get quarterly or bi-quarterly updates instead. (See more about their patching policies here.)
This is the major reason why we have decided to withhold the full details of our work on CVE-2023-41111, CVE-2023-41112, CVE-2023-42529, CVE-2023-42528, CVE-2023-42527, and CVE-2023-30739 for now.
Don’t forget to follow our research blog and our account on the bird site for upcoming updates about vulnerabilities, exploits, and trainings! :)
Exploit Demo
In the meantime, we are releasing a Proof-of-Concept video of exploiting CVE-2023-41111 and CVE-2023-41112 in the baseband of a Samsung Galaxy S21.
The video doesn’t provide the exact details of the exploit, but it demonstrates successful exploitation using the “Pwn2own classic” payload: we rewrite the device’s IMEI in order to show with the response that the phone sends to a post-exploitation mobile terminated Identity Request that the runtime has been compromised.