YoVDO

Exploiting Qualcomm WLAN and Modem Over The Air

Offered By: Black Hat via YouTube

Tags

Black Hat Courses Cybersecurity Courses Ethical Hacking Courses Reverse Engineering Courses Secure Boot Courses Firmware Analysis Courses

Course Description

Overview

Explore a comprehensive conference talk detailing successful exploitation of Qualcomm WLAN firmware, breaking isolation between WLAN and Modem, and achieving full control over the Modem via over-the-air methods. Delve into the critical role of real-time debugging for inspecting program flow and runtime status. Learn about MBA and Modem images, Modem Secure Boot, TOCTOU vulnerability, Debug Server Injection, and Qualcomm WLAN architecture. Examine reverse engineering techniques, including hints from Qualcomm and offload handlers. Understand the roadmap, mitigation strategies, and specific vulnerabilities like CVE-2019-10540 and CVE-2019-10538. Discover how to transform overflows into arbitrary writes, execute shellcode, and map Modem memory into WLAN. Gain insights into attack surfaces, memory management in Qualcomm multi-processors, and methods for delivering payloads over-the-air, including a demonstration using Pixel2.

Syllabus

Intro
MBA and Modem images
Modem Secure Boot
TOCTOU Vulnerability Bypass Secure Boot
Debug Server Injection
Qualcomm WLAN Architecture
Example - WIFI List
Firmware
Reverse Engineering - Hint From Qualcomm
Reverse Engineering - Offload Handlers
Sample Offload Handler
The Roadmap
Mitigation Table (WLAN & Modem)
The Vulnerability (CVE-2019-10540)
Data & Address of Overflow
Smart Pointer Around Overflow Memory
Usage Of Smart Pointer
Global Write With Constraint
Control PC & RO
Transform To Arbitrary Write
Run Useful FOP Gadget
Memory Mapping RWX
Copy Shellcode to 0x42420000
Trigger Shellcode
From WLAN to Modem
Map Modem Memory into WLAN
The Attack Surfaces
Memory Management of Qualcomm Multi-Processor
CVE-2019-10538
Deliver the Payload Over-The-Air
Deliver the Payloads Using Pixel2
Demo
Future Works


Taught by

Black Hat

Related Courses

Dal Reverse engineering alla stampa 3D
University of Naples Federico II via Federica
Rapid Manufacturing
Indian Institute of Technology Kanpur via Swayam
Generative Design for Industrial Applications
Autodesk via Coursera
Fundamentos de Ciberseguridad: un enfoque práctico
Inter-American Development Bank via edX
Functional And Conceptual Design
Indian Institute of Technology Madras via Swayam