Abstract

Baseband exploitation is often considered the cream of the offensive security field. In the last decade, only a handful of such exploits were publicly released. As a result, many researchers view the ability to silently achieve code execution on a victim’s device by emulating a GSM or LTE base station as a difficult objective.

In reality, baseband exploitation is much easier than expected. By following a simple list of steps, a baseband platform can be quickly opened up for research, debugging and exploitation. In this course, students will learn our systematic approach to baseband research - from setting up a fake base station using SDR and open-source BTS software, to achieving initial debugging abilities using our embedded hooking framework, and finally reverse engineering the relevant protocols, hunting for bugs and exploiting them.

By the end of this heavily hands-on course, students will become familiar with two extremely common baseband platforms, Shannon and Mediatek, gain the skills to debug these and other baseband platforms, and learn about previously discovered bugs in basebands, and how they have been exploited.

Key Learning Objectives:

• Understanding communication processors at the architecture level
• Extracting baseband firmware for a device
• Achieving initial read/write primitives
• Building a baseband debugger
• Basic familiarity with 3GPP protocols, in particular GSM and GPRS
• Understanding the relevant GSM and GPRS attack surfaces
• Reverse engineering the code - methods and tricks
• Bug hunting - methods, tips and previously discovered bugs
• Exploitation tricks in the baseband

Agenda

Session 1: Introduction, initial analysis and debugging

• Introduction to communication processors:
  • The evolution and challenges of communication systems
  • Baseband processors: An architecture overview
  • CP architectures: Broadcom, Qualcomm, MediaTek, Samsung
• Code extraction and initial analysis (both Shannon and MediaTek):
  • Challenges of baseband code extraction
  • Getting the firmware
  • Initial analysis: Parsing the firmware header
  • Loading into IDA: Base addresses and program segmentation
• Achieving initial read primitives, basic code analysis:
  • Bypassing code signing in Shannon
  • AT commands as a Shannon attack surface
  • Identifying functions and symbols in the code and writing a function mapping script
  • Extracting debug strings and parsing them to name functions in the IDB
• Debugging (both Shannon and MediaTek):
  • Conditions for building a debugger
  • Getting RWX permissions
  • Hooks: Using our multi-platform hooking framework

Session 2: Cellular protocols and static analysis

• Introduction to GSM, GPRS and UMTS:
  • Guide to the relevant 3GPP protocols
  • Working with the specs
  • Determining the protocol attack surface
  • Real time packet captures, analyzing a sample PCAP
• Shannon: Static analysis and an architecture overview:
  • Tasks, memory management and code structure
  • Debugging functionality
  • Samsung IPC: Talking to the Application Processor
  • The Platform Abstraction Layer and the HAL
• MediaTek: A comparison with Shannon:
  • Nucleus OS: implementation in MediaTek
  • Debugging the MediaTek baseband
  • Interaction with the AP
• Setting up a rogue BTS:
  • Getting started with OpenBTS
  • Making phone calls and sending SMS over your own network

Session 3: Finding bugs in Shannon and MediaTek

• The CC, SS, SMS and SM protocols:
  • Full reversing of a CC handler function in Shannon and in MediaTek
  • Adapting OpenBTS to run with GPRS and a primer on the protocol
• Vulnerability research in UMTS and LTE:
  • The additional complexities of setting up an eNodeB
  • Working with mutual authentication
  • Enumerating pre-authentication attack surfaces
• Finding a Shannon stack overflow 1-day:
  • Guiding the students towards finding the recent Shannon bug presented at Pwn2own 2018
  • Enumerating related parsers
• Finding a MediaTek bug:
  • Guiding the students towards finding a GPRS bug in MediaTek (DoS)
  • Analyzing the bug using the adapted hooking framework
  • Opening related attack surfaces in MediaTek

Session 4: Exploiting a Shannon 1-day

• Exploitation primitives:
  • Restoring execution after a Shannon stack overflow – resuming the message parsing loop
  • Exploiting a heap overflow in Shannon OS
  • Analysing the stack and heap for secondary exploitation primitives
  • Challenges/exploit mitigations
• Initial code execution:
  • Loading the initial shellcode stub into global memory
  • Building a custom bridgehead – receiving the main payload over the air
  • Second stage: Modifying the system’s behaviour in order to capture traffic or escalate to the AP
• Adapting the exploit to different ROMs:
  • Resolving symbols in different firmware versions
  • Identifying the target’s firmware version
  • Customizing a payload to the targeted firmware version
• Escalating to the AP - an introduction

Pre-requisites:

• C and Python
• Good reverse engineering knowledge
• Recommended: Familiarity with ARM assembly

Hardware Requirements:

• A working laptop
• 40 GB free Hard disk space

Software Requirements:

• IDA Pro or IDA Home with ARM Architecture is a must
• 32-bit ARM Decompiler is OPTIONAL, but preferred:
  • IDA Pro users can use the accompanying Hex Rays ARM decompiler
  • Ghidra’s ARM decompiler can be used as a standalone decompiler for students with IDA Home
• Linux / Windows / Mac OS X desktop operating systems
• VMWare Player / VMWare Workstation / VMWare Fusion MANDATORY
• Administrator / root access MANDATORY