Abstract:
-----------------
Samsung baseband modems provide mobile network functionality to a variety of devices. Project Zero reviewed the Samsung 'Shannon' Exynos 5300 modem used by the Google Pixel 7, discovering and reporting several vulnerabilities. While many of these could only be exploited using a local base-station or compromised mobile network, some could be accessed remotely cross-carrier, requiring only a rooted mobile phone to perform the attack. This presentation will explore fully-remote baseband vulnerabilities.
It will start with an overview of the attack surface of the Exynos 5300 modem, and describe the bugs we found, then explain how to test such vulnerabilities on a remote target using a rooted Samsung phone. This talk will then discuss how to exploit such bugs, as well as ways an attacker could make use of a modem compromise
#shannon #baseband #hardwaresecurity #hardwear_io #hw_ioUSA2023
---------------------------------------------------------------------------------------------------------------------
Website: hardwear.io
Twitter: / hardwear_io
LinkedIn: / hardwear.io-hardwarese...
Facebook: / hardwear.io
0:00 Introduction
0:15 Baseband Hackathon
7:52 P2P Attack Surface
9:28 Dumping baseband
9:51 Analysis
10:59 Crashdumps
12:42 Code review
13:40 Filtering
18:59 QEMU emulator
20:47 CVE-2022-26497
22:30 CVE-2022-29090 (SIP)
23:20 Testing P2P bugs
24:41 Exploitation
25:37 95300 security features
27:15 Shannon heap
28:55 Heap 6
30:23 First Attempt
33:37 Overwrite
35:28 Code exec from heap
36:17 Shellcode
37:45 Now what? (for real)
41:48 Questions