Huawei Mobile Partner Poor Permissions

2013.02.12
Credit: Myo Soe
Risk: High
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

1. DESCRIPTION Huawei Mobile Partner application contains a flaw that may allow an attacker to gain access to unauthorized privileges. The issue is due to the application installing with insecure permissions. This allows a less privileged local attacker or compromised process to replace the original application binary with a malicious application which will be executed by a victim user or upon Mobile Partner application Windows service restart. 2. BACKGROUND Mobile Partner is a built-in application in Huawei 3G USB modems that allow you to connect to the 3G mobile network for Internet access. It is widely used by many telcos round the world. 3. VERSIONS AFFECTED Tested version: 23.007.09.00.203. 4. PROOF-OF-CONCEPT/EXPLOIT //// Tested on Windows c:\>wmic service get pathname | find "Mobile Partner" C:\Program Files (x86)\Mobile Partner\UpdateDog\ouc.exe C:\Program Files (x86)\Mobile Partner\eap\wifimansvc.exe c:\>accesschk -q "C:\Program Files (x86)\Mobile Partner\UpdateDog\ouc.exe" C:\Program Files (x86)\Mobile Partner\UpdateDog\ouc.exe RW Everyone RW BUILTIN\Users c:\>accesschk -q "C:\Program Files (x86)\Mobile Partner\eap\wifimansvc.exe" C:\Program Files (x86)\Mobile Partner\eap\wifimansvc.exe RW Everyone RW BUILTIN\Users c:\>accesschk -q "C:\Program Files (x86)\Mobile Partner\Mobile Partner.exe" C:\Program Files (x86)\Mobile Partner\Mobile Partner.exe RW Everyone RW BUILTIN\Users /// Tested on Mac YEHG:MacOS tester$ ls -Rl /Applications/Mobile\ Partner.app/ | grep rwxrwxrwx | grep "\(app\|mobilepartner\)" -rwxrwxrwx 1 root admin 82496 Oct 6 17:34 mobilepartner drwxrwxrwx 3 root admin 102 Oct 6 17:34 XStartScreen.app drwxrwxrwx 3 root admin 102 Oct 6 17:34 LiveUpd.app drwxrwxrwx 3 root admin 102 Oct 6 17:34 ouc.app 5. SOLUTION The vendor has not responded to our security report for months. Workaround is to remove WRITE attribute permission on all Mobile Partner executable files for non-administrator and non-system accounts. 6. VENDOR Huawei Technologies Co.,Ltd 7. CREDIT Myo Soe, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 8. DISCLOSURE TIME-LINE 2012-10-xx: Contacted the vendor through publicly mentioned emails and forums 2013-02-11: No response 2013-02-11: Vulnerability not fixed 2013-02-11: Vulnerability disclosed 9. REFERENCES Original Advisory URL: http://core.yehg.net/lab/pr0js/advisories/huawei_mobile_partner-insecure_permission #yehg [2013-02-11]

References:

http://yehg.net


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top