Document Title:
===============
ZTE Datacard Telecom MF626 Modem (PCW_TNZNZLV1.0.0B02)  - Multiple Vulnerabilities




Release Date:
=============
2015-02-09



References (Source):
====================
http://zero-way.net/forum/forum/pentration-testing/exploits/locals/235-zte-datacard-telecom-mf626-modem-pcw_tnznzlv1-0-0b02-multiple-vulnerabilities




Product & Service Introduction:
===============================
http://www.zte.com.cn
http://www.zte.co.nz/main/Product_Downloads/MF626_downloads.htm






Affected Product(s):
====================
ZTE Corporation
Product: ZTE Datacard Telecom MF626 Modem (PCW_TNZNZLV1.0.0B02) 

Exploitation Technique:
=======================
Local


Severity Level:
===============
High


Technical Details & Description:
================================
A local privilege escalation vulnerability has been discovered in the official ZTE Datacard Telecom MF626 Modem (PCW_TNZNZLV1.0.0B02)  application software.
The local security vulnerability allows an attackers to gain higher access privileges by exploitation of a insecure permission misconfiguration.

The software suffers from a local privilege escalation vulnerability. Users are able to change the file with executable access to a binary of choice.
The issue is located in the misconfigured permissions values with the `F`(full) flag in the users and everyone group. The permissions are set to all 
the binary files of the software in the same location. The files are installed in the `Ucell Internet` directory. The group/user permission for 
the path is assigned to the everyone group. The full path with the permission misconfiguration allows local low privileged system user accounts to 
exploit the vulnerability to gain higher access privileges. After the attacker replaced the binary file with the malicious code he can reboot the 
system to gain higher access privileges. At the end the attacker is able to fully compromises the system by local exploitation.

T

The third discovered vulnerability is a denial of service bug that affects the local process. Local attackers are able to manipulate the 
networkCfg.xml to crash the application with a runtime error that results in a unhandled exception.


Proof of Concept (PoC):
=======================
The vulnerabilities can be exploited by local attackers with restricted account privileges and without user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.



--- PoC Session Logs Local Privilege Escalation ---
   
C:\Users\s-dz\Desktop>accesschk.exe -dqv "C:\Program Files\Telecom Connection Manager"
C:\Program Files\Telecom Connection Manager
  Medium Mandatory Level (Default) [No-Write-Up]
  RW Tout le monde
        FILE_ALL_ACCESS
  RW NT SERVICE\TrustedInstaller
        FILE_ALL_ACCESS
  RW AUTORITE NT\SystÞme
        FILE_ALL_ACCESS
  RW BUILTIN\Administrateurs
        FILE_ALL_ACCESS
  R  BUILTIN\Utilisateurs
        FILE_LIST_DIRECTORY
        FILE_READ_ATTRIBUTES
        FILE_READ_EA
        FILE_TRAVERSE
        SYNCHRONIZE
        READ_CONTROL

C:\Users\s-dz\Desktop>

C:\Users\s-dz\Desktop>icacls "C:\Program Files\Telecom Connection Manager"
C:\Program Files\Telecom Connection Manager Tout le monde:(F)
                                            Tout le monde:(OI)(CI)(IO)(F)
                                            NT SERVICE\TrustedInstaller:(I)(F)
                                            NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
                                            AUTORITE NT\Système:(I)(F)
                                            AUTORITE NT\Système:(I)(OI)(CI)(IO)(F)
                                            BUILTIN\Administrateurs:(I)(F)
                                            BUILTIN\Administrateurs:(I)(OI)(CI)(IO)(F)
                                            BUILTIN\Utilisateurs:(I)(RX)
                                            BUILTIN\Utilisateurs:(I)(OI)(CI)(IO)(GR,GE)
                                            CREATEUR PROPRIETAIRE:(I)(OI)(CI)(IO)(F)

1 fichiers correctement traités ; échec du traitement de 0 fichiers

C:\Users\s-dz\Desktop>


--- PoC Local DoS ---

first go to C:\program files\Internet Mobile\networkCfg.xml (Network configuration)
and write "A" * 3000 in     <ConfigFileName>"A" x 3000</ConfigFileName> . Save it open the program .
poc will crash ...
                                                       


Credits & Authors:
==================
Hadji Samir s-dz@hotmail.fr