CVE-2023-32888: Mediatek Baseband Heap Buffer Overflow When Parsing SIP P-Asserted-Identity Header

An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here.

The impact is Heap Overflow in the baseband, triggered by malformed VoLTE message such as SIP INVITE or MESSAGE request.

The vulnerability described in this advisory affected a wide range of Mediatek devices. The January 2024 issue of the Mediatek Security Bulletin contains this vulnerability as CVE-2023-32888.

## Vulnerability Details

When a SIP message is unpacked by `sip_msg_unpack`, `cc_call_set_peer_addr` is responsible for updating the session
description object with the peer information.
When the SIP message contains the `P-Asserted-Identity` header, the vulnerable `cc_call_replace_double_quote`
function is called to replace double quotes with the “ string.

“`
char * cc_call_replace_double_quote(call_session_call_object_t *callobj,char *src_string) { size_t len; size_t __n; char *dst; char *__dest; int iVar1; undefined4 uStack_2c; undefined4 uStack_28; undefined4 uStack_24; uStack_2c = 0; uStack_28 = 0; uStack_24 = 0; if (((callobj != (call_session_call_object_t *)0x0) && (callobj->parent_profile != (call_acct_profile_t *)0x0)) && // [0] Config option (callobj->parent_profile->replace_double_quote != 0)) { len = strlen(src_string); inet_msg_mapping_char_to_ascii(0x22,(char *)&uStack_2c); __n = strlen((char *)&uStack_2c); // [1] Input length check if (len < 0x200) { // [2] Heap buffer allocation dst = voip_get_mem(0x200,”protocol/ims/ua/src/call/call_message.c”,0x18df); if (dst != NULL) { __wrap_memset(dst,0,0×200); __wrap_memcpy(dst,src_string,len); // [3] Find escaped double quote while (__dest = strstr((char *)dst,(char *)”””), __dest != NULL) { iVar1 = (int)__dest – (int)dst; if (iVar1 != 0) { // [4] Replace it with string memmove(dst + __n + iVar1,dst + iVar1 + 2, (len – 2) – iVar1); strncpy(__dest,(char *)&uStack_2c,__n); len = len + (__n – 2); } } return dst; } } else { // [ErrMsg] length is not enough. len=[%] _dhl_index_trace(0,””,0x32b011c2,&DAT_9186db70); } } return (char *)0x0; }
“`

The function checks if double quote replacement is enabled [0], then checks that the length of
the input string is less than 0x200 [1] and allocates a 0x200 bytes long heap buffer [2].
The `voip_get_mem` function calls the `__kal_adm_alloc` function internally to make the allocation.
The loop at [3] finds all the occurrences of escaped double quotes `”` in the input string and
replaces them with the “ string.
While the length check at [2] enforces that the input string alone cannot spill over the boundaries
of the allocated buffer, it fails to take into account the extra size due to the expansion.

The result is that the attacker is able to essentially fully control both the length of the heap buffer overwrite and the byte values written.
The “ value is fix, but this is only used to fill up the desired amount of bytes at the head of the allocated buffer,
so the bytes that actually overflow the allocation are entirely attacker controlled.
The length of that string is 8 bytes more than an escaped double quote, so the extra number of bytes can be any `N*8` number where N is maximum `0x100`, and since the input string can be any number `<=0x200`, the overflowed number of bytes can be any chosen number up to `N*8`, not only 0 modulo 8.

The vulnerable code path is only reachable if the `replace_double_quote` config option is enabled [0].
Generally this option is disabled by default, however it is enabled for specific telco operators in `call_service_read_message`.

## Example Payload

Replace the `P-Asserted-Identity` field of a legitimate SIP INVITE as below:

“`
payload = b'”BEGIN’ + b’\”‘*100 + b’END” ‘ msg_raw = re.sub(b”(?<=P-Asserted-Identity: )(?=<.*>r?n)”, payload, msg_raw)
“`

To trigger the vulnerable path, force modem carrier configuration to use an operator that the functionality is default enabled for, such as Cricket Wireless.

# Affected Devices

MT2735, MT6813, MT6833, MT6833P, MT6835, MT6853, MT6853T, MT6855, MT6873, MT6875, MT6877, MT6877T, MT6878, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6895T, MT6896, MT6897, MT6980, MT6980D, MT6983T, MT6983W, MT6983Z, MT6985, MT6985T, MT6989, MT6990

# Timeline

– 2023.07.28. Bug reported to Mediatek PSIRT
– 2023.09.14. Mediatek confirms vulnerability
– 2023.11.06. Mediatek confirms CVE
– 2024.01.02. Mediatek releases security bulletin
– 2025.06.26. Vulnerability publicly disclosed at Troopers ‘25
– 2025.10.01. Advisory release

Recent posts