Frankenstein - Uncovering Bugs in Embedded Firmware and Android with Full-Stack Fuzzing presented at CODEBLUE2020 2020

by Jan Ruge,

Summary : Uncovering bugs in embedded closed-source firmware is challenging.Already simple tasks like attaching a debugger to the software are hard to impossible in the first place. Often, analysis gets stuck due to the lack of debug interfaces, and firmware execution cannot be observed as it would be possible for software running on top of a host's operating system.In this talk, we present a new approach named Frankenstein [1], which is capable of analyzing, fuzzing and patching ARM-based firmware. We utilize emulation by modifying the binary in a way that makes it possible to run it on Linux. Moreover, we enable compilation and linking of C code against closed-source firmware binary dumps, which enables function calls and memory access without additional abstraction layers.Thus, these patches can run within the original firmware as well as the emulator, e.g., our heap sanitizer can be used for debugging on the physical target as well as during an emulated fuzzing session.We apply Frankenstein to Broadcom Bluetooth chips for fuzzing and enable attaching the emulated chip to a Linux host. By feeding arbitrary wireless frames into the Bluetooth chip and attaching it to the Linux BlueZ stack, we uncover two heap overflows within these firmware.Such overflows enable zero-click remote code execution (RCE) prior to device pairing. For one of the memory corruption bugs, we developed a fully working proof of concept (PoC) exploit. To implement this exploit over-the-air, we had to modify the behavior of the link manager protocol (LMP) that is terminated within the Bluetooth firmware and not accessible on the host operating system. With these modifications, we were able to reuse the code used for emulation to implement the required patches for this exploit.Finally, we use the same approach to implement a fuzzy firmware that performs mutations on the lower-layer Bluetooth frames that are not accessible by operating systems' Bluetooth stacks. These modifications include the packet and payload header of raw Bluetooth frames. Using this fuzzy Bluetooth firmware over-the-air uncovered BlueFrag, a bug in the Android operating system. It exists prior to pairing and we developed a PoC working on Android 8 and 9 prior to the February 2020 patches. This vulnerability is also known as CVE-2020-0022.