CVE-2021-31698 - Quectel Eg25-g AT Command Injection

jtn0514 · (This post was last modified: 09-20-2021, 08:56 PM by jtn0514.)

https://cve.mitre.org/cgi-bin/cvename.cg...2021-31698
https://nns.ee/blog/2021/04/03/modem-rce.html

Curious how to know if the chipset in your device is vulnerable at this point. CVE States the following "Quectel EG25-G devices through 202006130814 allow executing arbitrary code remotely by using an AT command to place shell metacharacters in quectel_handle_fumo_cfg input in atfwd_daemon."

This is pretty bad news if this is the case and it hasnt been adressed or patched somehow with a firmware update. Would love to see some further input on this if anyone has any more info on how to patch against this?

wibble · 09-21-2021, 05:18 AM

It looks to me like an attacker would need to have compromised your pinephone already in order to exploit this issue, so to that extent it's already game over. It might be a route to installing something persistent on the modem though.

There are firmware updates from Quectel available, but I don't know if they've addressed this. There's also biktogj's firmware implementation which I think uses a different AT command handler. If that one has a similar mistake it can at least be fixed openly.
https://github.com/Biktorgj/pinephone_modem_sdk
https://github.com/Biktorgj/meta-qcom/tr...em/openqti

megous · (This post was last modified: 09-30-2021, 12:29 PM by megous.)

(09-20-2021, 08:49 PM)jtn0514 Wrote: https://cve.mitre.org/cgi-bin/cvename.cg...2021-31698
https://nns.ee/blog/2021/04/03/modem-rce.html

Curious how to know if the chipset in your device is vulnerable at this point. CVE States the following "Quectel EG25-G devices through 202006130814 allow executing arbitrary code remotely by using an AT command to place shell metacharacters in quectel_handle_fumo_cfg input in atfwd_daemon."

This is pretty bad news if this is the case and it hasnt been adressed or patched somehow with a firmware update. Would love to see some further input on this if anyone has any more info on how to patch against this?

Attacker that can execute arbitrary AT commands (that is - has access to modem's USB interfaces) can already do whatever he wants to your modem - he can even enable root adb access and modify anything inside your modem. There's 0 protection.

See https://xnux.eu/devices/feature/modem-pp.html (unlock adb access)

No need for crazy hacks. Just enable root shell and have fun.

Or the attacker can just directly ask the modem to reboot and enable flashing mode and replace the fw with the attacker's image. That can be done over debug interface, not even AT access is needed.

Etc.

Possibly Related Threads…
Thread		Author	Replies	Views	Last Post
	firmware udate Quectel EG25-G modem	alwi	7	5,339	07-06-2022, 01:43 PM Last Post: user641
	Need command to tell what modem firmware I am on.	purpletiger	4	2,823	07-06-2022, 12:35 PM Last Post: Zebulon Walton
	Quectel T-Mobile Certification and MMS manuals	mouffa	2	2,899	08-08-2021, 04:28 AM Last Post: mouffa
	Quectel EG25-G H/W interface - Operating Modes - eg25-manager	mouffa	0	1,945	06-23-2021, 06:57 AM Last Post: mouffa
	Quectel EG25-G GNSS Configuration and location tracking	mouffa	2	5,754	06-07-2021, 04:24 AM Last Post: mouffa
	Quectel EG25-G Modem Configuration - ofono - Manjaro Plasma	mouffa	5	4,518	06-02-2021, 11:38 AM Last Post: mouffa
	EG25-G support for emergency alerts (WEA/CMAS)	newton688	5	6,699	07-01-2020, 11:35 AM Last Post: wibble
	Heat build-up: EG25 or SOC?	CloudHackIX	5	6,082	02-24-2020, 08:52 PM Last Post: CloudHackIX

Login




Remember me Lost Password?

About Us