Exploiting Qualcomm WLAN and Modem Over The Air

The presentation discusses a method for exploiting vulnerabilities in Android's Wi-Fi system to gain control of the device's memory and execute arbitrary code.

• The presenter describes a process for exploiting a vulnerability in Android's Wi-Fi system to gain control of the device's memory and execute arbitrary code
• The process involves overriding a smart pointer in the Wi-Fi system and passing two tests to gain control
• The presenter emphasizes the importance of understanding the code and identifying useful data points to successfully exploit vulnerabilities

The presenter describes how they were able to gain control of a device's memory and execute arbitrary code by exploiting a vulnerability in the Wi-Fi system. By identifying a useful data point and overriding a smart pointer, they were able to pass two tests and gain control of the device's memory. This anecdote illustrates the importance of understanding the code and identifying useful data points to successfully exploit vulnerabilities.

In this talk, we will share our research in which we successfully exploit Qualcomm WLAN in FIRMWARE layer, break down the isolation between WLAN and Modem and then fully control the Modem over the air. Setup the real-time debugger is the key. Without the debugger, it's difficult to inspect the program flow and runtime status. On Qualcomm platform, subsystems are protected by the Secure Boot and unable to be touched externally. We'll introduce the vulnerability we found in Modem to defeat the Secure Boot and elevate privilege into Modem locally so that we can setup the live debugger for baseband. The Modem and WLAN firmware is quite complex and reverse engineering is a tough work. Thanks to the debugger, we finally figure out the system architecture, the components, the program flow, the data flow, and the attack surfaces of WLAN firmware. We'll share these techniques in detail, along with the zero-days we found on the attack surfaces. There are multiple mitigations on Qualcomm baseband, including DEP, stack protection, heap cookie, system call constraint, etc. All the details of the exploitation and mitigation bypassing techniques will be given during the presentation. Starting from Snapdragon 835, WLAN firmware is integrated into the Modem subsystem as an isolated userspace process. We'll discuss these constraints, and then leverage the weakness we found to fully exploit into Modem.