Aerosol Posted February 11, 2015 Report Posted February 11, 2015 Document Title:===============ZTE Datacard Telecom MF626 Modem (PCW_TNZNZLV1.0.0B02) - Multiple VulnerabilitiesRelease Date:=============2015-02-09References (Source):====================http://zero-way.net/forum/forum/pentration-testing/exploits/locals/235-zte-datacard-telecom-mf626-modem-pcw_tnznzlv1-0-0b02-multiple-vulnerabilitiesProduct & Service Introduction:===============================http://www.zte.com.cnhttp://www.zte.co.nz/main/Product_Downloads/MF626_downloads.htmAffected Product(s):====================ZTE CorporationProduct: ZTE Datacard Telecom MF626 Modem (PCW_TNZNZLV1.0.0B02) Exploitation Technique:=======================LocalSeverity Level:===============HighTechnical Details & Description:================================A local privilege escalation vulnerability has been discovered in the official ZTE Datacard Telecom MF626 Modem (PCW_TNZNZLV1.0.0B02) application software.The local security vulnerability allows an attackers to gain higher access privileges by exploitation of a insecure permission misconfiguration.The software suffers from a local privilege escalation vulnerability. Users are able to change the file with executable access to a binary of choice.The issue is located in the misconfigured permissions values with the `F`(full) flag in the users and everyone group. The permissions are set to all the binary files of the software in the same location. The files are installed in the `Ucell Internet` directory. The group/user permission for the path is assigned to the everyone group. The full path with the permission misconfiguration allows local low privileged system user accounts to exploit the vulnerability to gain higher access privileges. After the attacker replaced the binary file with the malicious code he can reboot the system to gain higher access privileges. At the end the attacker is able to fully compromises the system by local exploitation.TThe third discovered vulnerability is a denial of service bug that affects the local process. Local attackers are able to manipulate the networkCfg.xml to crash the application with a runtime error that results in a unhandled exception.Proof of Concept (PoC):=======================The vulnerabilities can be exploited by local attackers with restricted account privileges and without user interaction.For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.--- PoC Session Logs Local Privilege Escalation ---C:\Users\s-dz\Desktop>accesschk.exe -dqv "C:\Program Files\Telecom Connection Manager"C:\Program Files\Telecom Connection Manager Medium Mandatory Level (Default) [No-Write-Up] RW Tout le monde FILE_ALL_ACCESS RW NT SERVICE\TrustedInstaller FILE_ALL_ACCESS RW AUTORITE NT\SystÞme FILE_ALL_ACCESS RW BUILTIN\Administrateurs FILE_ALL_ACCESS R BUILTIN\Utilisateurs FILE_LIST_DIRECTORY FILE_READ_ATTRIBUTES FILE_READ_EA FILE_TRAVERSE SYNCHRONIZE READ_CONTROLC:\Users\s-dz\Desktop>C:\Users\s-dz\Desktop>icacls "C:\Program Files\Telecom Connection Manager"C:\Program Files\Telecom Connection Manager Tout le monde:(F) Tout le monde:(OI)(CI)(IO)(F) NT SERVICE\TrustedInstaller:(I)(F) NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F) AUTORITE NT\Système:(I)(F) AUTORITE NT\Système:(I)(OI)(CI)(IO)(F) BUILTIN\Administrateurs:(I)(F) BUILTIN\Administrateurs:(I)(OI)(CI)(IO)(F) BUILTIN\Utilisateurs:(I)(RX) BUILTIN\Utilisateurs:(I)(OI)(CI)(IO)(GR,GE) CREATEUR PROPRIETAIRE:(I)(OI)(CI)(IO)(F)1 fichiers correctement traités ; échec du traitement de 0 fichiersC:\Users\s-dz\Desktop>--- PoC Local DoS ---first go to C:\program files\Internet Mobile\networkCfg.xml (Network configuration)and write "A" * 3000 in <ConfigFileName>"A" x 3000</ConfigFileName> . Save it open the program .poc will crash ...Credits & Authors:==================Hadji Samir s-dz@hotmail.frSource Quote