tags:androidbasebandheap_overflow original link: Unburdened By What Has Been: Exploiting New Attack Surfaces in Radio Layer 2 for Baseband RCE on Samsung Exynos newsletter link: exploits.club Weekly Newsletter 32 - Popping Basebands, Pwnie Nominated PrivEscs, The Compiler Landscape, And More


Exploits Club Summary:

Following up their 3 part blog series about Full Chain Baseband exploits from late last year, Taszk is back with more baseband goodies this week. In their new post, the team explains an exploit they developed to achieve RCE on Samsung Exynos basebands by targeting Radio Layer 2. The post starts with some details about Layer 2 and continues on to talk about the two bugs they identified. Used in conjunction, the bugs give them a relatively strong heap overflow primitive. Before going into the exploitation, the post talks through baseband heap internals, discussing the front-end and back-end allocators, as well as the classic heap exploit technique the back-end allocator is susceptible to. It then continues onto exploitation, walking through heap shaping and overcoming mitigations before concluding with a demo.