Fuzzing Layer-2: How to Trigger Memory Corruption in Exynos Basebands

TLDR: Researchers at Black Hat 2024 demonstrated a methodology for fuzzing cellular baseband processors by targeting Layer-2 protocols to reach deeper, more complex Layer-3 tasks. By using the FirmWire emulator to inject custom fuzzing tasks and restoring critical state variables, they successfully triggered memory corruption vulnerabilities in Exynos basebands. This research proves that even with modern hardening, legacy 2G protocols remain a viable attack surface for triggering high-impact crashes on modern devices.

Cellular baseband security is often treated as a black box, largely because the proprietary firmware is notoriously difficult to analyze and even harder to fuzz. Most research in this space focuses on the high-level radio resource management or mobility management tasks, which are complex and prone to implementation errors. However, the real-world risk is that these basebands are exposed to over-the-air (OTA) traffic, meaning an attacker with a rogue base station can reach these parsers without any user interaction. The recent work presented at Black Hat 2024 shifts the focus from these high-level tasks to the underlying Layer-2 protocols, proving that you can reach deep, vulnerable code paths by simply manipulating the framing and state of the cellular stack.

The Challenge of State-Dependent Fuzzing

Baseband processors are highly stateful. If you simply throw random data at a parser, the firmware will likely reject the malformed packets before they ever reach the interesting, vulnerable code. This is the primary roadblock for most researchers. To get past the initial checks, you need to provide the baseband with a valid state, which often requires reverse engineering proprietary memory structures and magic constants.

The researchers used FirmWire, an open-source full-system baseband emulator, to bypass these roadblocks. Instead of trying to fuzz the baseband from the outside, they injected a custom "fuzzing task" directly into the firmware. This task runs as a native component of the real-time operating system (RTOS) inside the emulator. By doing this, they could manually initialize the internal state variables—such as the protocol discriminator or message groups—before sending their fuzzed payloads. This effectively tricks the baseband into believing it is in a valid, connected state, allowing the fuzzer to reach deeper logic that would otherwise be unreachable.

From Layer-2 to Memory Corruption

The methodology relies on the fact that Layer-2 protocols, specifically the Link Access Protocol on the Dm Channel (LAPDm), are responsible for concatenating frames before passing them up to Layer-3. By fuzzing the concatenation logic, the researchers could trigger memory corruption in the tasks that process these reassembled frames.

The technical breakthrough here is the use of AFL++ to drive the fuzzing process within the emulator. The fuzzer injects payloads that target specific Layer-3 tasks like the Mobility Management (MM) or Radio Resource (RR) layers. When the fuzzer hits a crash, the emulator provides immediate, actionable logs. For instance, they identified a heap-based buffer overflow in the MM task, which was later assigned CVE-2023-50807. Another notable finding was a null pointer dereference, CVE-2024-28068, which demonstrates that even simple logic errors in these proprietary stacks can lead to a complete modem reset.

To reproduce this, you need to identify the memory address where the baseband stores its state variables. Using Ghidra, you can decompile the initialization functions to find the specific offsets for the MM state. Once you have the address, you can use a simple C-based fuzzer task to overwrite these values in memory:

// Example of setting state variables in the fuzzer task
uint32_t *mm_state_addr = (uint32_t *)0x42e22f58;
*mm_state_addr = 0x0; // Force the MM state to a specific value

Real-World Impact and Defensive Reality

For a pentester or bug bounty hunter, this research is a roadmap for targeting mobile devices. You do not need to be a baseband expert to start finding these bugs. By setting up a rogue base station using Yate and YateBTS, you can perform OTA testing against a target device. If the modem crashes and the connection bars disappear, you have successfully triggered a vulnerability.

The defensive reality is that vendors are finally taking this seriously. Recent Android updates have introduced heap sanitization and more consistent use of the execute-never (XN) bit for memory regions, making it significantly harder to turn these crashes into arbitrary code execution. Furthermore, the "Allow 2G" toggle in modern Android settings is a critical defense. By disabling 2G, you effectively remove the attack surface for these legacy protocols, as the baseband will refuse to connect to the rogue base stations that are typically used to deliver these payloads.

What Comes Next

The most striking takeaway is that even after years of scrutiny, 2G implementations remain a goldmine for memory corruption bugs. The fact that these vulnerabilities are being found in modern devices like the Pixel 8 and Galaxy S22 shows that the complexity of these stacks is outpacing the security controls. If you are looking for your next research project, stop trying to find bugs in the high-level radio resource management and start looking at the reassembly logic in the lower layers. The state is the key. If you can control the state, you can control the parser, and if you can control the parser, you can own the modem.