Escalating Local Privileges Using Mobile Partner

Mobile Partner is a very popular software that ships with Huawei internet dongles. Recently I noticed the fact that the “Mobile Partner” directory and all subdirectories, files by default has full permissions granted the Users group. This means that any User in your system can plant a malicious executable and escalate privileges when the Administrator runs Mobile Partner. Why not bind the exe using msfpayload or msfvenom? 😉

 Proof of Concept

By default in my dongle I had Mobile Partner 11.302.09.00.03 and if you are using versions below you might find out that this folder and it’s contents has been granted full permissions not only to the Users group but also to Everyone which means any random user can plant anything inside this directory.


However after downloading the latest version 23.009.05.03.1014 in which it turns out that “Everyone” group is no longer granted permissions but still “Users” group has full permissions.

But after doing some more analysis I found out that Mobile Partner has a DLL hijacking vulnerability which is wintab32.dll. Looks like the target DLL is unavailable and the app seems to be desperately searching it. However we can successfully use this DLL to hijack and execute our code.

So why not place this vulnerable DLL inside the directory instead of planting malware 😉 I wasn’t lucky to find the function loaded by Mobile Partner. If you can find out the function, we can write our own Stage 1 of meterpreter and this might be undetectable to most anti-viruses, but still we can run our shellcode in a new process. This is the technique used by the Metasploit framework. I will be using this C template in this. Credits to HD Moore and to the MSF Development team. https://github.com/rapid7/metasploit-framework/tree/master/data/templates/src/pe/dll
I had to modified this a bit to self-compile by removing additional framework preprocessor directives. Generate your shellcode, in my case the meterpreter reverse tcp and paste it in the “code=” unsigned char.

Rename it to wintab32.dll and place it inside the Mobile Partner directory. That is it, once the Admin user opens Mobile Partner.exe It will search this DLL and we can nicely get an Admin shell on the box 🙂
To fix this you can apply ACL rules only to Read and Read & Execute to the “Users” and to the “Everyone” groups to every sub folder and files in it. You can do it simply by the following command.

Here is a very short demo just to demonstrate this scenario.

Acknowledgement can be viewed from this link:

Acknowledged by Huawei

Advisories

CVE: CVE-2014-8358, CVE-2014-8359
http://xforce.iss.net/xforce/xfdb/97682
http://xforce.iss.net/xforce/xfdb/97681
http://www.securityfocus.com/bid/70672/info
http://www.securityfocus.com/bid/70671/info
http://packetstormsecurity.com/files/128767/Huawei-Mobile-Partner-DLL-Hijacking.html

Advertisements

2 thoughts on “Escalating Local Privileges Using Mobile Partner

Leave a Reply