Billions of Android devices are exposed to a vulnerability in Qualcomm’s Mobile Station Modem (MSM) chip
A vulnerability in Qualcomm’s Mobile Station Modem (MSM) chip– installed in around 30% of the world’s mobile devices – can be exploited from within Android.
MSM is of great interest to both hackers and researchers looking for ways it might be exploited remotely by sending an SMS or a crafted radio packet that communicates with the device and can take control of it. But MSM can also be approached from inside the device – and this was the route chosen by researchers at Check Point Research (CPR).
MSM is managed within an Android device by the Qualcomm real-time OS, which is protected by the TrustZone. It cannot be debugged or dumped even on rooted devices, leaving the only possible route to the MSM code via a vulnerability.
CPR fuzzed MSM data services looking for a way to patch QuRT directly from Android.
QMI is Qualcomm’s proprietary protocol used to communicate between software components in the modem and other peripheral subsystems. The CPR researchers discovered that QMI functions use the Type-length-Value (TLV) format to carry their payload.
CPR used the Quick Emulator Hexagon to fuzz the QuRT handler functions – and discovered a heap overflow vulnerability in the qmi_voicei_srvcc_call_config_req handler (0x64) of the voice service.
“To process this packet,” explain the researchers, “the handler allocates 0x5B90 bytes on the modem heap, extracts the number of calls from the payload into the allocated buffer at offset 0x10, and then loops to fetch all call contexts into the buffer starting at offset 0x12. Due to the lack of checking for the ..
Support the originator by clicking the read the rest link below.
