Huawei Mobile Partner | Permission Weakness Local Privilege Escalation
1. DESCRIPTION
Huawei Mobile Partner application contains a flaw that may allow an
attacker to gain access to unauthorized privileges. The issue is due
to the application installing with insecure permissions. This allows a
less privileged local attacker or compromised process to replace the
original application binary with a malicious application which will be
executed by a victim user or upon Mobile Partner application Windows
service restart.
2. BACKGROUND
Mobile Partner is a built-in application in Huawei 3G USB modems that
allow you to connect to the 3G mobile network for Internet access. It
is widely used by many telcos round the world.
3. VERSIONS AFFECTED
Tested version: 23.007.09.00.203.
4. PROOF-OF-CONCEPT/EXPLOIT
//// Tested on Windows
c:\>wmic service get pathname | find "Mobile Partner"
C:\Program Files (x86)\Mobile Partner\UpdateDog\ouc.exe
C:\Program Files (x86)\Mobile Partner\eap\wifimansvc.exe
c:\>accesschk -q "C:\Program Files (x86)\Mobile Partner\UpdateDog\ouc.exe"
C:\Program Files (x86)\Mobile Partner\UpdateDog\ouc.exe
RW Everyone
RW BUILTIN\Users
c:\>accesschk -q "C:\Program Files (x86)\Mobile Partner\eap\wifimansvc.exe"
C:\Program Files (x86)\Mobile Partner\eap\wifimansvc.exe
RW Everyone
RW BUILTIN\Users
c:\>accesschk -q "C:\Program Files (x86)\Mobile Partner\Mobile Partner.exe"
C:\Program Files (x86)\Mobile Partner\Mobile Partner.exe
RW Everyone
RW BUILTIN\Users
/// Tested on Mac
YEHG:/ tester$ find "/Applications/Mobile Partner.app" -perm -0002 -type f -exec file {} \; | grep executable | awk -F\( '{print $1}' | uniq
/Applications/Mobile Partner.app/Contents/MacOS/mobilepartner
/Applications/MobilePartner.app/Contents/Resources/UpdateDog/LiveUpd.app/Contents/MacOS/LiveUpd
/Applications/MobilePartner.app/Contents/Resources/UpdateDog/ouc.app/Contents/MacOS/ouc
/Applications/MobilePartner.app/Contents/Resources/XStartScreen.app/Contents/MacOS/XStartScreen
5. SOLUTION
The vendor has not responded to our security report for months.
Workaround is to remove WRITE attribute permission on all Mobile
Partner executable files for non-administrator and non-system
accounts.
6. VENDOR
Huawei Technologies Co.,Ltd
7. CREDIT
Myo Soe, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
8. DISCLOSURE TIME-LINE
2012-10-xx: Contacted the vendor through publicly mentioned emails and forums
2013-02-11: No response
2013-02-11: Vulnerability not fixed
2013-02-11: Vulnerability disclosed
9. REFERENCES
Original Advisory URL:
http://core.yehg.net/lab/pr0js/advisories/huawei_mobile_partner-insecure_permission
#yehg [2013-02-11]
Huawei Mobile Partner application contains a flaw that may allow an
attacker to gain access to unauthorized privileges. The issue is due
to the application installing with insecure permissions. This allows a
less privileged local attacker or compromised process to replace the
original application binary with a malicious application which will be
executed by a victim user or upon Mobile Partner application Windows
service restart.
2. BACKGROUND
Mobile Partner is a built-in application in Huawei 3G USB modems that
allow you to connect to the 3G mobile network for Internet access. It
is widely used by many telcos round the world.
3. VERSIONS AFFECTED
Tested version: 23.007.09.00.203.
4. PROOF-OF-CONCEPT/EXPLOIT
//// Tested on Windows
c:\>wmic service get pathname | find "Mobile Partner"
C:\Program Files (x86)\Mobile Partner\UpdateDog\ouc.exe
C:\Program Files (x86)\Mobile Partner\eap\wifimansvc.exe
c:\>accesschk -q "C:\Program Files (x86)\Mobile Partner\UpdateDog\ouc.exe"
C:\Program Files (x86)\Mobile Partner\UpdateDog\ouc.exe
RW Everyone
RW BUILTIN\Users
c:\>accesschk -q "C:\Program Files (x86)\Mobile Partner\eap\wifimansvc.exe"
C:\Program Files (x86)\Mobile Partner\eap\wifimansvc.exe
RW Everyone
RW BUILTIN\Users
c:\>accesschk -q "C:\Program Files (x86)\Mobile Partner\Mobile Partner.exe"
C:\Program Files (x86)\Mobile Partner\Mobile Partner.exe
RW Everyone
RW BUILTIN\Users
/// Tested on Mac
YEHG:/ tester$ find "/Applications/Mobile Partner.app" -perm -0002 -type f -exec file {} \; | grep executable | awk -F\( '{print $1}' | uniq
/Applications/Mobile Partner.app/Contents/MacOS/mobilepartner
/Applications/MobilePartner.app/Contents/Resources/UpdateDog/LiveUpd.app/Contents/MacOS/LiveUpd
/Applications/MobilePartner.app/Contents/Resources/UpdateDog/ouc.app/Contents/MacOS/ouc
/Applications/MobilePartner.app/Contents/Resources/XStartScreen.app/Contents/MacOS/XStartScreen
5. SOLUTION
The vendor has not responded to our security report for months.
Workaround is to remove WRITE attribute permission on all Mobile
Partner executable files for non-administrator and non-system
accounts.
6. VENDOR
Huawei Technologies Co.,Ltd
7. CREDIT
Myo Soe, http://yehg.net, YGN Ethical Hacker Group, Myanmar.
8. DISCLOSURE TIME-LINE
2012-10-xx: Contacted the vendor through publicly mentioned emails and forums
2013-02-11: No response
2013-02-11: Vulnerability not fixed
2013-02-11: Vulnerability disclosed
9. REFERENCES
Original Advisory URL:
http://core.yehg.net/lab/pr0js/advisories/huawei_mobile_partner-insecure_permission
#yehg [2013-02-11]