The Chinese troupe UNISOC, constituted as Spreadtrum, is one of the humankind’s largest chipmaker companies and the biggest in China over the concluding 20 ages. The company produces tropical- cost chipsets for Android affection agreeable with 2- 5G technology, sharp TVs and other things.
Because investigators haven’t sampled their products already, the CheckPoint brigade decided to break down part of the protocol communications used, known as NAS, and begin a weakness( CVE-2022-20210) that can be brutalized to break the device’s radio message via a distorted bundle causing a DoS form. This weakness allows assaulters can neutralize dispatches in a specific emplacement.
Related Article about UNISOC:The Rise of MBR Ransomware-by Blackhat Pakistan 2023
Learning about vulnerability (CVE-2022-20210)
The LTE mesh should be examined to derive the essential notions and how to play this weakness. The lengthy- term growth( LTE) net comprises some protocols and factors. The 3GPP Group created the elaborated packet system( EPS), an LTE technology cast of three land
- The stoner outfit( UE)
- Evolved UMTS carnal radio access network(E-UTRAN)
- Evolved packet core( EPC)
In detail, theE-UTRAN ingredient is formed of one single hill called the “ eNodeB ” quarter. This station is responsible for curbing radio messages between the UE and EPC factors.
The ECC is decoupled into four land, one of which is the mobility care being( MME). This constituent is responsible for shipping flagging communications related with security control, charge of hounding areas and mobility preserving.
The delving was carried out using a UNISOC modem and messages between the MME constituent and the UE hill( an Android device). Figure 2 shows the protocol hill of the modem; the no- case stratum( NAS) degree hosts EPS and EMM signaling communications.
Some exchange messages between the UE device and the MME component are shown below.
Digging into the vulnerability details
In this feel, the defenselessness chased as CVE-2022-20210 relies on the exploitation of the NAS contentions, to wit
- fruit purity — the object building
- NAS dispatch blob; and
- blob cancel
By cloud the discharge of the NAS bash via AFL and QUEMU passages, the army associated some arresting billets comparable asliblte_mme_unpack_mobile_id_ie of srsRAN breathing used to pull the movable sameness from the NAS dispatch. This identity starts with a composition; the value consists of a 2- byte breadth to represent the foreign mobile subscriber identity( IMSI).
The crash happens when this value is copied to the labor buffer as the IMSInumber.However, 0- 2 = 0xFFFFFFFE bytes are deeded to the cock memory, and a DoS health is set off, If the length of the worth is zero.
As a result, a deformed NAS communication is created. As minded under and set out by CheckPoint, “ the featured 0x23 worth indicates that the succeeding data is the dispatch sameness head, where the first 0x01 is the length and the spare 0x01 is the IMSI breed. ”
This message crashes the device and opens doors to more sophisticated payloads that can lead to remote code execution scenarios.