Practical Baseband Exploitation

4000€ | 10th to 13th of October 2022 | Espace Vinci, Rue des Jeuneurs, Paris, France

Baseband exploitation is often considered the cream of the offensive security field. In the last decade, only a handful of such exploits were publicly released. As a result, many researchers view the ability to silently achieve code execution on a victim's device by emulating a GSM or LTE base station as a difficult objective. In reality, baseband exploitation is much easier than expected. By following a simple list of steps, a baseband platform can be quickly opened up for research, debugging and exploitation. In this course, students will learn our systematic approach to baseband research - from setting up a fake base station using SDR and open-source BTS software, to achieving initial debugging abilities using our embedded hooking framework, and finally reverse engineering the relevant protocols, hunting for bugs and exploiting them. By the end of this heavily hands-on course, students will become familiar with two extremely common baseband platforms, Shannon and Mediatek, gain the skills to debug these and other baseband platforms, and learn about previously discovered bugs in basebands, and how they have been exploited.


Objectives of the training

Extract baseband firmware from a device

Understand the relevant GSM and GPRS attack surfaces

Hunt for bugs - methods, tips and previously discovered bugs

Learn Exploitation tricks specific to baseband world

The trainer

Who will run this training?

Nitay
Artenstein


@nitayart

Nitay Artenstein is a senior security researcher and the leader of an international research group. He has been a speaker at various security conferences, including Black Hat and Recon, and has conducted training sessions in Linux kernel exploitation and baseband research. He suffers from a severe addiction to IDA Pro (at least until he gets used to Ghidra’s GUI), and generally gets a kick out of digging around where he’s not supposed to.

Pedro
Ribeiro


@pedrib1337

Pedro Ribeiro is a vulnerability researcher and reverse engineer with over 12 years of experience. Pedro has found and exploited hundreds of vulnerabilities in various software and hardware products. He has over 160 CVE ID’s attributed to his name (most of which related to remote code execution vulnerabilities) and has authored over 60 Metasploit modules which have been released publicly.
Besides his vulnerability research activities, he is the founder and director of a penetration testing and reverse engineering consultancy based in London (Agile Information Security), with a variety of clients worldwide. More information about Pedro’s publicly disclosed vulnerabilities can be found at https://github.com/pedrib/PoC

Syllabus

What will we do?

Abstract

Baseband exploitation is often considered the cream of the offensive security field. In the last decade, only a handful of such exploits were publicly released. As a result, many researchers view the ability to silently achieve code execution on a victim’s device by emulating a GSM or LTE base station as a difficult objective.

In reality, baseband exploitation is much easier than expected. By following a simple list of steps, a baseband platform can be quickly opened up for research, debugging and exploitation. In this course, students will learn our systematic approach to baseband research - from setting up a fake base station using SDR and open-source BTS software, to achieving initial debugging abilities using our embedded hooking framework, and finally reverse engineering the relevant protocols, hunting for bugs and exploiting them.

By the end of this heavily hands-on course, students will become familiar with two extremely common baseband platforms, Shannon and Mediatek, gain the skills to debug these and other baseband platforms, and learn about previously discovered bugs in basebands, and how they have been exploited.

Key Learning Objectives:

  • Understanding communication processors at the architecture level
  • Extracting baseband firmware for a device
  • Achieving initial read/write primitives
  • Building a baseband debugger
  • Basic familiarity with 3GPP protocols, in particular GSM and GPRS
  • Understanding the relevant GSM and GPRS attack surfaces
  • Reverse engineering the code - methods and tricks
  • Bug hunting - methods, tips and previously discovered bugs
  • Exploitation tricks in the baseband

Agenda

Session 1: Introduction, initial analysis and debugging
  • Introduction to communication processors:
    • The evolution and challenges of communication systems
    • Baseband processors: An architecture overview
    • CP architectures: Broadcom, Qualcomm, MediaTek, Samsung
  • Code extraction and initial analysis (both Shannon and MediaTek):
    • Challenges of baseband code extraction
    • Getting the firmware
    • Initial analysis: Parsing the firmware header
    • Loading into IDA: Base addresses and program segmentation
  • Achieving initial read primitives, basic code analysis:
    • Bypassing code signing in Shannon
    • AT commands as a Shannon attack surface
    • Identifying functions and symbols in the code and writing a function mapping script
    • Extracting debug strings and parsing them to name functions in the IDB
  • Debugging (both Shannon and MediaTek):
    • Conditions for building a debugger
    • Getting RWX permissions
    • Hooks: Using our multi-platform hooking framework
Session 2: Cellular protocols and static analysis
  • Introduction to GSM, GPRS and UMTS:
    • Guide to the relevant 3GPP protocols
    • Working with the specs
    • Determining the protocol attack surface
    • Real time packet captures, analyzing a sample PCAP
  • Shannon: Static analysis and an architecture overview:
    • Tasks, memory management and code structure
    • Debugging functionality
    • Samsung IPC: Talking to the Application Processor
    • The Platform Abstraction Layer and the HAL
  • MediaTek: A comparison with Shannon:
    • Nucleus OS: implementation in MediaTek
    • Debugging the MediaTek baseband
    • Interaction with the AP
  • Setting up a rogue BTS:
    • Getting started with OpenBTS
    • Making phone calls and sending SMS over your own network
Session 3: Finding bugs in Shannon and MediaTek
  • The CC, SS, SMS and SM protocols:
    • Full reversing of a CC handler function in Shannon and in MediaTek
    • Adapting OpenBTS to run with GPRS and a primer on the protocol
  • Vulnerability research in UMTS and LTE:
    • The additional complexities of setting up an eNodeB
    • Working with mutual authentication
    • Enumerating pre-authentication attack surfaces
  • Finding a Shannon stack overflow 1-day:
    • Guiding the students towards finding the recent Shannon bug presented at Pwn2own 2018
    • Enumerating related parsers
  • Finding a MediaTek bug:
    • Guiding the students towards finding a GPRS bug in MediaTek (DoS)
    • Analyzing the bug using the adapted hooking framework
    • Opening related attack surfaces in MediaTek
Session 4: Exploiting a Shannon 1-day
  • Exploitation primitives:
    • Restoring execution after a Shannon stack overflow – resuming the message parsing loop
    • Exploiting a heap overflow in Shannon OS
    • Analysing the stack and heap for secondary exploitation primitives
    • Challenges/exploit mitigations
  • Initial code execution:
    • Loading the initial shellcode stub into global memory
    • Building a custom bridgehead – receiving the main payload over the air
    • Second stage: Modifying the system’s behaviour in order to capture traffic or escalate to the AP
  • Adapting the exploit to different ROMs:
    • Resolving symbols in different firmware versions
    • Identifying the target’s firmware version
    • Customizing a payload to the targeted firmware version
  • Escalating to the AP - an introduction

Pre-requisites:

  • C and Python
  • Good reverse engineering knowledge
  • Recommended: Familiarity with ARM assembly

Hardware Requirements:

  • A working laptop
  • 40 GB free Hard disk space

Software Requirements:

  • IDA Pro or IDA Home with ARM Architecture is a must
  • 32-bit ARM Decompiler is OPTIONAL, but preferred:
    • IDA Pro users can use the accompanying Hex Rays ARM decompiler
    • Ghidra’s ARM decompiler can be used as a standalone decompiler for students with IDA Home
  • Linux / Windows / Mac OS X desktop operating systems
  • VMWare Player / VMWare Workstation / VMWare Fusion MANDATORY
  • Administrator / root access MANDATORY

Other trainings

What else might interest you?

Android Kernel Security

Vitaly Nikolenko

Hunting and Reversing UEFI Firmware Implants

Alex Matrosov

Hypervisor development for security analysis

Satoshi Tanda

Windows Internals for Security Engineers

Yarden Shafir