Fuzzing USB Modems
Rahul Sasi @fb1h2s
I don‟t own any of the images I have used in
these slides, and I don‟t know whom to give
credits for other than Google, so don‟t come
crying back to me with copyright crap .
I might have copy/pasted diagrams from other
websites and articles and I do not remember all
the sites to give credits to, so don‟t be a kid just
deal with it.
References would be there in the actual white
Who am IRahul Sasi aka fb1h2s.
Admin Member at Team [Garage4hackers.com]
Work as a Security Researcher .
I was invited to present my researches at:
Blackhat Arsenal[ Las Vegas],
Nullcon [Goa 2010-2013],
Ekoparty [ Argentina] ,
What I do at Work.
20% Build Tools
5% Play counter
What I do [at Home ]
Code for KXP
Try out Food
Introduction to USB Data modems.
Fuzzing USM modem dialer applications.
DOS attacks via SMS.
Phishing Attacks via SMS.
Fuzzing Device Drivers
Demo Potential Code execution .
Why a security talk on USB
80 million devices in 2010 [It should be more
Is security risk all about the market share of the
Yes, USB devices are so popular and is owned
by a lot of guys.
o So is this the only reason we consider this for a
What was my interest in
USB Data modems.
Spot the Similarity
Tata Photon, Reliance Net connect , Idea Net
Airtel 3g, Bsnl 3G
All the above products are USB modems sold in
India by different Tele service vendors for
And all of them are made by Huawei :D .
USB wireless modemsA USB modem used for mobile broadband
Internet, aka dongle is widely used these days.
They use the USB port on you're computer to
make it connect to a GSM/CDMA network there
by creating a PPPoE(Point to Point protocol over
Ethernet) interface to your computer.
Default comes a dialer software either written by
the hardware manufacture customized for the
They also come bundled with device driver.
The most important thing.
The mobile phone service providers distribute
|sell these modems.
These modems have a phone no which lies in a
particular series, so all the phone numbers end
with xxxxxx1000 to xxxxxx2000 would be running
a particular version of USB modem dialer
software so the impact is large.
This means mass exploitation since u know were
your targets are. It would be like an ms08-067
with an additional benefit of knowing where your
More on USB modems
These devices when plugged in to a computer detects
as a CDFS file systems and has the following
software's in it.
These software's comes bundled as a package and need
to be installed on the host computer to connect to the
Software Included in Huawei Mobile Connect.
The device driver usually provide
interrupt handling for asynchronous
They allow the host machine to
communicate to the USB interface.
A device driver package for Win
, Mac ,Linux is included with all
This software interacts with the modem
using AT commands, and dials a
connection to establish an internet
connection over 3g/4g.
One of the interesting features that are
added to these dialer software‟s is an
interface to read/sent SMS from your
This is mainly done for sending promotion
offers and advertising [Fuck u SMS
Network Manager: Manages the Network
What do we Attack
Application Inputs for Remote
o Spear Phishing SMS campaigns.
o SMS Parsing Module.
Application Input for Local Attacks.
o Device Drivers
Phishing SMS campaigns.
Social Engineering Attack
I Found this trick back in college 4 years back.
It still work‟s like a charm .
Finding Personal Info of any Phone number:
The security question for any sort of info on you‟r personal details is
you're last recharge value.
Call customer service , give them the no u need to track. Bluff to the
service guy u did a recharge for „n‟ amount and that it was never
reflected in you're account.
He will read out all past recharges for you :D .
Use that details to make a second call , and get access to any one‟s
SMS Parsing Module.
These SMS modules added to the dialers, simply
check the connected USB modem for incoming
If any new message is found it‟s parsed and
moved to a local sqlite database, which is further
used to populate the SMS viewer.
Parsing take place with out user interaction.
When an SMS is sent, its delivered to MSC[
message service center]
SMSC will further sent the message to the
The SMS messages is limited to 160 [7 bit chars]
to 140 [8 bit chars] or 70 [16 bit chars] .
SMS concatenation is used to send a single
large message exceeding 160 chars to be sent
over as multiple SMS and the receiver puts them
together as single SMS.
Can also deliver Binary data [OTA
GSM 7 bit Ascii Encoding
SMS Handling By Modem Dialer
When an SMS arrives at a modem the parser queries the
modem using AT codes and retrieve the incoming SMS.
Response would be “AT” result code and SMS [pdu] DU
(protocol description unit) | text.
The SMS PDU Format
This Is how an SMS u sent out looks like.
Making the Fuzz Payloads
SMS attacks presented by Collin Mulliner, Charlie Miller and Nico
Golde in 2010 -2011. They released a fuzzer that can fuzz mobile
phone by SMS along with test cases [PDU] format. Just steel it.
Phase 1: My Simple Fuzz
Add Victim No
Sent to Victim
If no crash on
Do it again
Possible to Take down n number of systems on
the network, just sent one crafted payload to
each victims and ka-boom.
Few Interesting Bugs:
Bug-1[ Non Exploitable ]
• If two simultaneous SMS are received on the
modem then then you can trigger a UAF[Use
after free] , and doing that is fairly simple.
• There was no user controlled registers for this
bug, or least I could not find one.
• So I marked it Non exploitable [Fun Bug]
App crashes handling service SMS which .
We had a partial register control, but I had to
classify it non exploitable as it was not that easy.
• More technical Details on other bugs and
analysis you can read at my Blog soon.
Lets move on …
Jan-26 : Bug Reported to Huawei
Feb 5: No response from them
Instead a Chinese New Year
Feb 11: PSTR sent a mail to my alternate
address asking about my Nullcon +
More Interactions with them and they
closed the bug thread on Feb 26
Analysis Of the Bugs
• Currently Huawei does not have an Auto Update
, customers will have to manually download
install the patched application.
• The Dealers do not update there customers on
• So technically almost all device out there that are
sold or are yet to be sold runs on a vulnerable
Now that we know bugs
What to Fuzz for
Concatenation of Message
Some support MMS
Even though all these are not supported in many of
the Modems, some do.
DialerWe can reverse the Parser modules to
understand the supporting formats and functions
to help us in better fuzzing.
I didn't spent much time reversing the modules
, as most of the things I wanted were available
from USB sniffing .
I had to spent some time understanding the
different SMS formats supported .The same thing
could be achieved by reading the manual.
Sniffing USB Traffic:
Analyzing USB traffic to better understand the
On Mac Using USB Prober using
On Windows using Usbsnoop pro:
On Linux using Wireshark .
AT Commands Extracted from USB
This command is used to query the current system information, e.g.
system service state, domain, roaming or not and SIM card state.
This interface enables to query the network state and network
selection mode currently registered by the MS.
The SET command is used to set the message storage media
corresponding to the message read/write operations, and return the
current use state of the selected media.
How messages are Read
We can set the Message storage area in modem
The AT+CMGL is used to read messages based
on a particular status.
Read/Unread messages are categorized based
on a status "received unread", "received
read", "stored unsent", "stored sent", etc.
Building Test Cases
Collect some SMS [PDU] messages.
Mutate them and build you're test cases.
Set PDU status to “received unread”.
Attach you‟r sim to you‟r fuzzer.
Write test cases to SIM , you can write 500-1000 test
cases based on the storage capacity.
What to Fuzz
I downloaded other popular devices that were
available in our region and started fuzzing them.
And we got multiple crashes [w00t w00t] .
One was a memory corruption in parsing
Service Center Number. Even though this was
exploitable, in actual scenarios you cannot sent
an SMS message with an invalid Service Center
Number over a GSM network.
So that was dead end.
Another Memory Corruption in
a Service Message
1) You're Hex Shell code has to be in SMS PDU
format appended along with the text.
2) SMS Concatenation works great to send longer
shell codes, but the stack is corrupted with junk
each time new shell code is appended.
3) You would not have to worry about ASLR/DEP as
they are not compiled with them.
We made a working POC [35 byte] shellcode, 1 SMS.
The shell code just write‟s to c:// hack.txt.
I know it sucks but getting a Metpreter running
needed more time and patience than I actually had.
Even though Metpreter was my aim, sometimes you
fail and you need to accept it .
Probably other skilled hackers in this room could get
Mail me at: email@example.com