About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Analysis of Critical QSEE Vulnerabilities- 440

RaelizePosted 4 Years Ago
  • This article uses a router to get to the SoC that uses the QualComms Secure Execution Environment (QSEE). This Trusted Execution Environment (TEE) is found on many Qualcommn devices such as Linksys, mobile phones and other devices.
  • The first issue was trying to get as much access to the device as possible. The device had a nicely documented serial interface with supporting docs from OpenWRT. But, this only got the bootlog though.
  • The bootlog had a mention of U-Boot. So, by pressing a key, they were able to enter the U-Boot console, which has a plethora of useful commands.
  • In ARM TrustZone there are two worlds: secure (TEE) and non-secure world, which is also known as the Rich Execution Environment (REE). This is denoted by a special bit called the Non-Secure bit. The primary bootloader and secondary bootloader are used to load the rest of the system (including the QSEE binary) and run at the highest privilege.
  • To extract the QSEE binary from the system, they set the serverip U-Boot environment variable to be at a server they control. They load the binary into Flash and then send it off to their server. All of this can be done within the U-Boot console!
  • The QSEE binary is a completely flat binary with no metadata present about the structure or symbols. So, this took some time to reverse.
  • While using the REE env, range checks need to be done in order to ensure that ONLY TEE addresses are written to. However, this check needs to be done each time a read/write occurs within the TEE.
  • The authors of this article identified FOUR times that output addresses were not properly sanitized. Because of this, an attacker could write into arbitrary locations of the QSEE to compromise the TEE.
  • In order to access this, an attacker would need to be able to load a kernel module or get access via U-Boot. Still though, finding vulnerabilities in this has wide reaching effects.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed