Exploiting Qualcomm WLAN and Modem Over The Air

Conference:  BlackHat USA 2019



The presentation discusses a vulnerability in the linear kernel and how it can be exploited using function-oriented programming. The speaker also talks about the challenges faced during testing and proposes future work.
  • The heat protections hips make the hip overflow issue difficult to exploit
  • Traditional RP cannot be used due to protections and TV
  • Function-oriented programming can be used to bypass RP
  • The vulnerability can be exploited by overriding the smart pointer
  • Stability issues were faced during testing
  • Future work includes reverse engineering more of the code and handling power contracts
The speaker demonstrates how they were able to fully control the kernel and father using a prepared packet. They were able to enter the D message three and harder the color method.


In this talk, we will share our research in which we successfully exploit Qualcomm WLAN in FIRMWARE layer, break down the isolation between WLAN and Modem, and then fully control the Modem over the air.Setting up the real-time debugger is the key. Without the debugger, it's difficult to inspect the program flow and runtime status. On the Qualcomm platform, subsystems are protected by the Secure Boot and unable to be touched externally. We'll introduce the vulnerability we found in Modem to defeat the Secure Boot and elevate privilege into Modem locally so that we can setup the live debugger for baseband.The Modem and WLAN firmware is quite complex and reverse engineering is a tough work. Thanks to the debugger, we finally figured out the system architecture, the components, the program flow, the data flow, and the attack surfaces of WLAN firmware. We'll share these techniques in detail, along with the zero-days we found on the attack surfaces.There are multiple mitigations on Qualcomm baseband, including DEP, stack protection, heap cookie, system call constraint, etc. All the details of the exploitation and mitigation bypassing techniques will be given during the presentation.Starting from Snapdragon 835, WLAN firmware is integrated into the Modem subsystem as an isolated user space application constraint. We'll discuss these constraints, and then leverage the weakness we found to fully exploit Modem.