An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here.

The impact is Heap Overflow in the baseband, triggered by malformed VoLTE message such as SIP INVITE or MESSAGE request.

The vulnerability described in this advisory affected a wide range of Mediatek devices. The January 2024 issue of the Mediatek Security Bulletin contains this vulnerability as CVE-2023-32888.

Vulnerability Details

When a SIP message is unpacked by sip_msg_unpack, cc_call_set_peer_addr is responsible for updating the session description object with the peer information. When the SIP message contains the P-Asserted-Identity header, the vulnerable cc_call_replace_double_quote function is called to replace double quotes with the <ascii_34> string.

char * cc_call_replace_double_quote(call_session_call_object_t *callobj,char *src_string)

{
  size_t len;
  size_t __n;
  char *dst;
  char *__dest;
  int iVar1;
  undefined4 uStack_2c;
  undefined4 uStack_28;
  undefined4 uStack_24;
  
  uStack_2c = 0;
  uStack_28 = 0;
  uStack_24 = 0;
  if (((callobj != (call_session_call_object_t *)0x0) &&
      (callobj->parent_profile != (call_acct_profile_t *)0x0)) &&
      // [0] Config option
     (callobj->parent_profile->replace_double_quote != 0)) {
    len = strlen(src_string);
    inet_msg_mapping_char_to_ascii(0x22,(char *)&uStack_2c);
    __n = strlen((char *)&uStack_2c);
    // [1] Input length check
    if (len < 0x200) {
      // [2] Heap buffer allocation
      dst = voip_get_mem(0x200,"protocol/ims/ua/src/call/call_message.c",0x18df);
      if (dst != NULL) {
        __wrap_memset(dst,0,0x200);
        __wrap_memcpy(dst,src_string,len);

        // [3] Find escaped double quote
        while (__dest = strstr((char *)dst,(char *)"\""), __dest != NULL) {
          iVar1 = (int)__dest - (int)dst;
          if (iVar1 != 0) {
            // [4]  Replace it with <ascii_34> string
            memmove(dst + __n + iVar1,dst + iVar1 + 2, (len - 2) - iVar1);
            strncpy(__dest,(char *)&uStack_2c,__n);
            len = len + (__n - 2);
          }
        }
        return dst;
      }
    }
    else {
      // [ErrMsg] length is not enough. len=[%]
      _dhl_index_trace(0,"",0x32b011c2,&DAT_9186db70);
    }
  }
  return (char *)0x0;
}

The function checks if double quote replacement is enabled [0], then checks that the length of the input string is less than 0x200 [1] and allocates a 0x200 bytes long heap buffer [2]. The voip_get_mem function calls the __kal_adm_alloc function internally to make the allocation. The loop at [3] finds all the occurrences of escaped double quotes \" in the input string and replaces them with the <ascii_34> string. While the length check at [2] enforces that the input string alone cannot spill over the boundaries of the allocated buffer, it fails to take into account the extra size due to the expansion.

The result is that the attacker is able to essentially fully control both the length of the heap buffer overwrite and the byte values written. The <ascii_34> value is fix, but this is only used to fill up the desired amount of bytes at the head of the allocated buffer, so the bytes that actually overflow the allocation are entirely attacker controlled. The length of that string is 8 bytes more than an escaped double quote, so the extra number of bytes can be any N*8 number where N is maximum 0x100, and since the input string can be any number <=0x200, the overflowed number of bytes can be any chosen number up to N*8, not only 0 modulo 8.

The vulnerable code path is only reachable if the replace_double_quote config option is enabled [0]. Generally this option is disabled by default, however it is enabled for specific telco operators in call_service_read_message.

Example Payload

Replace the P-Asserted-Identity field of a legitimate SIP INVITE as below:

payload = b'"BEGIN' + b'\\\"'*100 + b'END" '
msg_raw = re.sub(b"(?<=P-Asserted-Identity: )(?=<.*>\r?\n)", payload, msg_raw)

To trigger the vulnerable path, force modem carrier configuration to use an operator that the functionality is default enabled for, such as Cricket Wireless.

Affected Devices

MT2735, MT6813, MT6833, MT6833P, MT6835, MT6853, MT6853T, MT6855, MT6873, MT6875, MT6877, MT6877T, MT6878, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6895T, MT6896, MT6897, MT6980, MT6980D, MT6983T, MT6983W, MT6983Z, MT6985, MT6985T, MT6989, MT6990

Timeline

• 2023.07.28. Bug reported to Mediatek PSIRT
• 2023.09.14. Mediatek confirms vulnerability
• 2023.11.06. Mediatek confirms CVE
• 2024.01.02. Mediatek releases security bulletin
• 2025.06.26. Vulnerability publicly disclosed at Troopers ‘25
• 2025.10.01. Advisory release