2025-09-05 –, Main track
A Steering of Roaming (SoR) solution in the telecom world is a component used by mobile network operators to manage which networks their subscribers connect to when roaming in other countries. While fuzzing a globally used SoR component, we discovered a remote code execution vulnerability that could be exploited from the position of other telecom operators. In this talk we want to take you with us on the journey from fuzzing setup to crash discovery, initial exploitation all the way to overcoming the network isolation and protocol constraints to craft a exploit that allows for two way communication.
Talk Outline:
- Introduction into Mobile Networks & Steering of Roaming
- Protocols for Steering of Roaming
- Fuzzing setup
- Diagnosing crashes
- Isolating exploitable cases
- Initial exploitation
- Binary protections
- ROPping
- One-way communication limitations
- Explain how we got creative to get RCE with two way communication
- Communications vendor
Sebastiaan is an Ethical Hacker at KPN with an interest in binary analysis and exploitation, system security and breaking programs in general. Before that, he worked as an incident responder and forensic analyst at KPN-CERT. Whenever opportunity arises, he can be found at CTF events.
Frank Cozijnsen is a seasoned ethical hacker at KPN, the leading telecommunications provider in the Netherlands, where he has worked for over 25 years. Previously, he held roles as a VoIP engineer and system administrator within the same organization.
Frank likes to focus on assessing mobile networking equipment and telecom infrastructure, with a particular interest in binary exploitation and hacking complex environments. He likes to play CTF's and has discovered vulnerabilities in several products using custom fuzzing techniques.