lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAPYM6VxNt3d1FXPnn21-so23Es4KS0JQsfCZ27SN+iWnsMgmHw@mail.gmail.com>
Date: Mon, 11 Feb 2013 20:45:26 +0800
From: YGN Ethical Hacker Group <lists@...g.net>
To: full-disclosure <full-disclosure@...ts.grok.org.uk>,
	bugtraq <bugtraq@...urityfocus.com>, OSVDB Mods <moderators@...db.org>
Cc: submissions@...ketstormsecurity.org
Subject: Huawei Mobile Partner | Permission Weakness Local
	Privilege Escalation

1. DESCRIPTION

Huawei Mobile Partner application contains a flaw that may allow an
attacker to gain access to unauthorized privileges. The issue is due
to the application installing with insecure permissions. This allows a
less privileged local attacker or compromised process to replace the
original application binary with a malicious application which will be
executed by a victim user or upon Mobile Partner application Windows
service restart.


2. BACKGROUND

Mobile Partner is a built-in application in Huawei 3G USB modems that
allow you to connect to the 3G mobile network for Internet access. It
is widely used by many telcos round the world.


3. VERSIONS AFFECTED

Tested version: 23.007.09.00.203.


4. PROOF-OF-CONCEPT/EXPLOIT

//// Tested on Windows

c:\>wmic service get pathname | find "Mobile Partner"
C:\Program Files (x86)\Mobile Partner\UpdateDog\ouc.exe
C:\Program Files (x86)\Mobile Partner\eap\wifimansvc.exe

c:\>accesschk -q "C:\Program Files (x86)\Mobile Partner\UpdateDog\ouc.exe"
C:\Program Files (x86)\Mobile Partner\UpdateDog\ouc.exe
  RW Everyone
  RW BUILTIN\Users

c:\>accesschk -q "C:\Program Files (x86)\Mobile Partner\eap\wifimansvc.exe"
C:\Program Files (x86)\Mobile Partner\eap\wifimansvc.exe
  RW Everyone
  RW BUILTIN\Users

c:\>accesschk -q "C:\Program Files (x86)\Mobile Partner\Mobile Partner.exe"
C:\Program Files (x86)\Mobile Partner\Mobile Partner.exe
  RW Everyone
  RW BUILTIN\Users


/// Tested on Mac

YEHG:MacOS tester$ ls -Rl /Applications/Mobile\ Partner.app/ | grep
rwxrwxrwx | grep "\(app\|mobilepartner\)"
-rwxrwxrwx 1 root admin 82496 Oct 6 17:34 mobilepartner
drwxrwxrwx 3 root admin 102 Oct 6 17:34 XStartScreen.app
drwxrwxrwx 3 root admin 102 Oct 6 17:34 LiveUpd.app
drwxrwxrwx 3 root admin 102 Oct 6 17:34 ouc.app


5. SOLUTION

The vendor has not responded to our security report for months.
Workaround is to remove WRITE attribute permission on all Mobile
Partner executable files for non-administrator and non-system
accounts.


6. VENDOR

Huawei Technologies Co.,Ltd


7. CREDIT

Myo Soe, http://yehg.net, YGN Ethical Hacker Group, Myanmar.


8. DISCLOSURE TIME-LINE

2012-10-xx: Contacted the vendor through publicly mentioned emails and forums
2013-02-11: No response
2013-02-11: Vulnerability not fixed
2013-02-11: Vulnerability disclosed


9. REFERENCES

Original Advisory URL:
http://core.yehg.net/lab/pr0js/advisories/huawei_mobile_partner-insecure_permission

#yehg [2013-02-11]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ