14 DAY TRIAL // A flaw in Qualcomm's Mobile Station Modem (MSM) chip, used in 30% of all mobile devices worldwide, can be exploited from within Android.
Both hackers and researchers are interested in how MSM can be remotely controlled by sending an SMS or a specially designed radio packet that communicates with the device and allows them to take control of it.
However, MSM can also be accessed from inside the system, and that's how Check Point Research decided to approach it (CPR).
The Qualcomm real-time OS, which is secured by the TrustZone, manages MSM on an Android computer. Regardless of whether it is a rooted device, it cannot be debugged or dumped, leaving only a vulnerability as the only way to access the MSM code.
CPR fuzzed MSM data services to find a way to patch QuRT from Android directly.
Qualcomm's protocol for communicating between software components in modems and other peripheral subsystems is known as QMI. According to the CPR researchers, QMI functions use the Type-length-Value (TLV) format to carry their payload.
The same team of researchers claims that “To process this packet, the handler allocates 0x5B90 bytes on the modem heap, extracts the number of calls from the payload into the allocated buffer at offset 0x10, and then loops to fetch all call contexts into the buffer starting at offset 0x12. Due to the lack of checking for the maximum number of calls, it is possible to pass the value 0xFF in the number of calls field and thus overwrite in the modem heap up to 0x12 + 0x160 * 0xFF – 0x5B90 = 0x10322 bytes.”
What is the purpose of this study?
The aim of the study was to discover flaws that other researchers might use to investigate the MSM chip, rather than exploit a flaw. Simply put, CPR did not investigate exploitation after discovering the vulnerability.
On October 8, 2020, Qualcomm received a bug report and Proof of Concept (POC). Qualcomm acknowledged the problem a week later and classified it as a high-risk vulnerability. Qualcomm has contacted the affected vendors and developed a patch to correct the CVE-ID CVE-2020-11292 list of flaws in February.
The vulnerability has a lot of potential. While it is true that bad actors will have to compromise the device first, once they do, they can take control over the Android device.