SVE-2019-13963 : Remote stack overflow in Samsung baseband caused by malformed IMMEDIATE ASSIGNMENT message

Posted on Mon 07 December 2020 in Advisory • Tagged with vulnerability, advisory, samsung, shannon, baseband, security, arm

Description

When Samsung Shannon baseband receives message IMMEDIATE ASSIGNMENT (9.1.18 in GSM/04.08) from network, the length of the Mobile Allocation IE (GSM/04.08 10.5.2.21) is not properly checked.

GSM/04.08 IMMEDIATE ASSIGNMENT message

Mobile allocation data is directly copied to a buffer on the stack without checking …


Continue reading

Remote stack overflow in Samsung baseband caused by malformed GMM ATTACH ACCEPT message

Posted on Mon 30 November 2020 in Advisory • Tagged with vulnerability, advisory, samsung, shannon, baseband, security, arm

Description

When Samsung Shannon baseband receives message GMM ATTACH ACCEPT (9.4.2 in TS 24.008) from network, the minimum length for MS Identity IE (10.5.1.4) is not properly checked.

TS 24.008 GMM ATTACH ACCEPT message

MS Identity (IEI 0x23) length is decremented without prior check. If this value is zero, a …


Continue reading

Remote stack overflow in Samsung baseband caused by malformed P-TMSI REALLOCATION COMMAND

Posted on Mon 23 November 2020 in Advisory • Tagged with vulnerability, advisory, samsung, shannon, baseband, security, arm

Description

When Samsung Shannon baseband receives message P-TMSI REALLOCATION COMMAND (9.4.7 in TS 24.008) from network, the length of the Mobile Identity IE (10.5.1.4) is not properly checked.

TS 24.008 P-TMSI REALLOCATION COMMAND message

Mobile identity data is directly copied to a stack buffer without prior size check. This stack …


Continue reading

SVE-2016-7930: Multiple buffer overflows in Samsung Galaxy bootloader

Posted on Sun 23 July 2017 in Advisory • Tagged with vulnerability, advisory, samsung, cellebrite, bootloader, exploit, firmware, security, usb, arm, odin

Prequel

On October 21st 2015, mobile forensics company Cellebrite published a video that demonstrates how their solution can dump eMMC of Samsung Galaxy devices :

This video strongly suggests that Samsung Galaxy bootloader can be exploited to execute arbitrary code.

Summary

Several bugs in Samsung Galaxy bootloader allow an attacker with …


Continue reading

Amlogic S905 SoC: bypassing the (not so) Secure Boot to dump the BootROM

Posted on Wed 05 October 2016 in Article • Tagged with vulnerability, amlogic, arm, security, firmware, trustzone, bootrom, bug

The Amlogic S905 System-On-Chip is an ARM processor designed for video applications. It's widely used in Android/Kodi media boxes. The SoC implements the TrustZone security extensions to run a Trusted Execution Environment (TEE) that enables DRM & other security features :

S905 block diagram
Amlogic S905 System Block Diagram

The SoC contains a Secure …


Continue reading

[QPSIIR-80] Qualcomm TrustZone Integer Signedness bug

Posted on Thu 18 December 2014 in Advisory • Tagged with vulnerability, advisory, arm, security, qualcomm, android, trustzone

Summary

Qualcomm TrustZone is prone to an integer signedness bug that may allow to write NULL words to barely controllable locations in memory.

The vulnerability can be triggered from Non-Secure World through the TrustZone call "tzbsp_smmu_fault_regs_dump".

This issue has been discovered in Samsung Galaxy S5 firmware, but other devices can …

Continue reading

[CVE-2014-2978] DirectFB remote out-of-bounds write vulnerability

Posted on Thu 15 May 2014 in Advisory • Tagged with vulnerability, advisory

Summary

DirectFB is prone to an out-of-bound write vulnerability since version 1.4.4.

The vulnerability can be triggered remotely without authentication through Voodoo interface (network layer of DirectFB).

Details

An attacker can choose to overflow in the heap or the stack.

CVSS Version 2 Metrics

  • Access Vector: Network exploitable …

Continue reading

[CVE-2014-2977] DirectFB integer signedness vulnerability

Posted on Thu 15 May 2014 in Advisory • Tagged with vulnerability, advisory

Summary

DirectFB is prone to an integer signedness vulnerability since version 1.4.13.

The vulnerability can be triggered remotely without authentication through Voodoo interface (network layer of DirectFB).

Details

This integer coercion error may lead to a stack overflow.

CVSS Version 2 Metrics

  • Access Vector: Network exploitable
  • Access Complexity …

Continue reading

Axis Camera M1011 Remote Code Execution Exploit

Posted on Wed 31 July 2013 in Advisory • Tagged with vulnerability, advisory

In January 2013, Rapid7 published a great paper describing several vulnerabilities in the most common UPnP libraries. Six months later, many devices based on these libraries have not been updated and are still exposed.

For example, the Axis M1011 camera contains a vulnerable version of libupnp, which can lead to …


Continue reading

Huawei Mobile Hostpot remote root code execution by SMS (user-triggered)

Posted on Mon 15 July 2013 in Advisory • Tagged with vulnerability, advisory, xss, CVE-2013-2612, huawei

Huawei E587 3G Mobile Hotspot, version 11.203.27, is prone to two vulnerabilities in WebUI; an XSS and a command injection.
The combination of both allows an attacker (with a little help from the victim) to remotely execute code on the device with root privileges, by sending a specifically …


Continue reading