Information

LTE background:

The LTE network model consists of a dozen components and protocols. We focus on the flow between the User Equipment (UE), which is a smartphone with the Unisoc modem, and the EMM server responsible for user authentication and network registration; session and bearer establishment; mobility management to support user movement. Mobility and session management between the UE and the EMM is performed in accordance with the NAS protocol (this is the functional layer in the LTE protocol stacks). The NAS protocol is defined in 3GPP TS 24.301.
The UE and the EMM communicate with each other using NAS messages. When a new NAS message arrives from the EMM, the Unisoc modem parses it and creates internal objects based on the received data. A bug in the parsing code could be used by an attacker to crash the modem remotely, which could result in DoS or RCE.

Integer underflow in the “Mobile Identity” unpacking function:

As part of the handshake procedure, when a device connects to the 4G or 5G network, the UE expects to receive a “Mobile Identity” record from the EMM, which can be provided as part of multiple NAS messages, such as the “Attach accept” NAS message. The “Mobile Identity” entry starts with the length of the supplied identity. In case the mobile identity is presented by IMSI, the (length - 2) bytes of the entry are copied into a heap based buffer as the IMSI number.
The check that the length value is greater than one is omitted. So, if the length field contains zero value, (0 - 2 = 0xFFFFFFFE) bytes will be copied into the heap buffer from the NAS message leading to DoS.

The attched file (attach_accept.bin) contains malformed “Attach accept” NAS message causing overflow.


Attachments:
attach_accept.bin

References:
https://source.android.com/security/bulletin/2022-06-01
https://research.checkpoint.com/2022/vulnerability-within-the-unisoc-baseband