Recently we have disclosed new advisories related to the remote exploitation of Huawei smartphones.
The research that led to these findings was motivated by analyzing new interfaces for remote code execution on a mobile platform. After our work on exploiting Huawei’s Kirin via its baseband interface, we wanted to explore the possibilities of logic bugs as RCE vectors in a modern smartphone chipset, as opposed to memory corruption scenarios that are more common in public research. Logic bugs can be the most powerful because they have the potential to bypass almost all the exploit mitigations that are the typical focus these days, like ASLR, N^X, sandboxing parser code, etc.
Our research resulted in a 0-click remote code execution exploit. Demonstrating the usefulness of an exploit using only logic bugs, it worked without modification even on Huawei devices with Qualcomm Snapdragon chipsets! In addition, we chained together a few more logical bugs for further escalation, including getting code execution at TEE level.
The vulnerabilities we disclosed have all been reported to and patched by Huawei (see the advisories for the disclosure timelines).
The interested reader may find all the vulnerability details in our advisories:
A video recording of the talk that we delivered is available here.