针对QTEE+Widevine的漏洞挖掘与利用
摘要 🔗
Widevine is a DRM solution, and QTEE is the TrustZone implement of Qualcomm, both running on billions of devices. In this presentation, we will share our latest study of Widevine on QTEE. We will first explain why QTEE and Widevine are high-value targets and share the basics about them in brief. After the opening, we will show how to locate the command handling logic and get the logic explained to show how we found a vulnerability.
With the vulnerability in hand, we need the following in order to achieve the exploit:
-
We need to know the memory model of a QTEE TA, especially how commands are delivered and how buffers are shared between the two worlds. Another vulnerability is put forward to do information leak with the model.
-
We need to know where the TA is loaded and find a way to break ASLR.
-
We need to find a memory layout to access TA from the user-controlled location.
After the above is resolved, we will put them together to exploit the Widevine TA and extract data from SFS, the trusted storage of QTEE.
Prior knowledge is not mandatory but is recommended.