Exploiting Qualcomm WLAN and Modem Over The Air

Explore a comprehensive conference talk detailing successful exploitation of Qualcomm WLAN firmware, breaking isolation between WLAN and Modem, and achieving full control over the Modem via over-the-air methods. Delve into the critical role of real-time debugging for inspecting program flow and runtime status. Learn about MBA and Modem images, Modem Secure Boot, TOCTOU vulnerability, Debug Server Injection, and Qualcomm WLAN architecture. Examine reverse engineering techniques, including hints from Qualcomm and offload handlers. Understand the roadmap, mitigation strategies, and specific vulnerabilities like CVE-2019-10540 and CVE-2019-10538. Discover how to transform overflows into arbitrary writes, execute shellcode, and map Modem memory into WLAN. Gain insights into attack surfaces, memory management in Qualcomm multi-processors, and methods for delivering payloads over-the-air, including a demonstration using Pixel2.

Intro
MBA and Modem images
Modem Secure Boot
TOCTOU Vulnerability Bypass Secure Boot
Debug Server Injection
Qualcomm WLAN Architecture
Example - WIFI List
Firmware
Reverse Engineering - Hint From Qualcomm
Reverse Engineering - Offload Handlers
Sample Offload Handler
The Roadmap
Mitigation Table (WLAN & Modem)
The Vulnerability (CVE-2019-10540)
Data & Address of Overflow
Smart Pointer Around Overflow Memory
Usage Of Smart Pointer
Global Write With Constraint
Control PC & RO
Transform To Arbitrary Write
Run Useful FOP Gadget
Memory Mapping RWX
Copy Shellcode to 0x42420000
Trigger Shellcode
From WLAN to Modem
Map Modem Memory into WLAN
The Attack Surfaces
Memory Management of Qualcomm Multi-Processor
CVE-2019-10538
Deliver the Payload Over-The-Air
Deliver the Payloads Using Pixel2
Demo
Future Works