+- PINE64 (https://forum.pine64.org)
+-- Forum: PinePhone (https://forum.pine64.org/forumdisplay.php?fid=120)
+--- Forum: PinePhone Hardware (https://forum.pine64.org/forumdisplay.php?fid=122)
+--- Thread: CVE-2021-31698 - Quectel Eg25-g AT Command Injection (/showthread.php?tid=14935)
CVE-2021-31698 - Quectel Eg25-g AT Command Injection - jtn0514 - 09-20-2021
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31698
https://nns.ee/blog/2021/04/03/modem-rce.html
Curious how to know if the chipset in your device is vulnerable at this point. CVE States the following "Quectel EG25-G devices through 202006130814 allow executing arbitrary code remotely by using an AT command to place shell metacharacters in quectel_handle_fumo_cfg input in atfwd_daemon."
This is pretty bad news if this is the case and it hasnt been adressed or patched somehow with a firmware update. Would love to see some further input on this if anyone has any more info on how to patch against this?
RE: CVE-2021-31698 - Quectel Eg25-g AT Command Injection - wibble - 09-21-2021
It looks to me like an attacker would need to have compromised your pinephone already in order to exploit this issue, so to that extent it's already game over. It might be a route to installing something persistent on the modem though.
There are firmware updates from Quectel available, but I don't know if they've addressed this. There's also biktogj's firmware implementation which I think uses a different AT command handler. If that one has a similar mistake it can at least be fixed openly.
https://github.com/Biktorgj/pinephone_modem_sdk
https://github.com/Biktorgj/meta-qcom/tree/hardknott/recipes-modem/openqti
RE: CVE-2021-31698 - Quectel Eg25-g AT Command Injection - megous - 09-30-2021
(09-20-2021, 08:49 PM)jtn0514 Wrote: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31698
https://nns.ee/blog/2021/04/03/modem-rce.html
Curious how to know if the chipset in your device is vulnerable at this point. CVE States the following "Quectel EG25-G devices through 202006130814 allow executing arbitrary code remotely by using an AT command to place shell metacharacters in quectel_handle_fumo_cfg input in atfwd_daemon."
This is pretty bad news if this is the case and it hasnt been adressed or patched somehow with a firmware update. Would love to see some further input on this if anyone has any more info on how to patch against this?
Attacker that can execute arbitrary AT commands (that is - has access to modem's USB interfaces) can already do whatever he wants to your modem - he can even enable root adb access and modify anything inside your modem. There's 0 protection.
See https://xnux.eu/devices/feature/modem-pp.html (unlock adb access)
No need for crazy hacks. Just enable root shell and have fun.
Or the attacker can just directly ask the modem to reboot and enable flashing mode and replace the fw with the attacker's image. That can be done over debug interface, not even AT access is needed.
Etc.