Jump to content
Aerosol

ZTE Datacard Telecom MF626 Modem Privilege Escalation

Recommended Posts

Posted

Document Title:
===============
ZTE Datacard Telecom MF626 Modem (PCW_TNZNZLV1.0.0B02) - Multiple Vulnerabilities




Release Date:
=============
2015-02-09



References (Source):
====================
http://zero-way.net/forum/forum/pentration-testing/exploits/locals/235-zte-datacard-telecom-mf626-modem-pcw_tnznzlv1-0-0b02-multiple-vulnerabilities




Product & Service Introduction:
===============================
http://www.zte.com.cn
http://www.zte.co.nz/main/Product_Downloads/MF626_downloads.htm






Affected Product(s):
====================
ZTE Corporation
Product: ZTE Datacard Telecom MF626 Modem (PCW_TNZNZLV1.0.0B02)

Exploitation Technique:
=======================
Local


Severity Level:
===============
High


Technical Details & Description:
================================
A local privilege escalation vulnerability has been discovered in the official ZTE Datacard Telecom MF626 Modem (PCW_TNZNZLV1.0.0B02) application software.
The local security vulnerability allows an attackers to gain higher access privileges by exploitation of a insecure permission misconfiguration.

The software suffers from a local privilege escalation vulnerability. Users are able to change the file with executable access to a binary of choice.
The issue is located in the misconfigured permissions values with the `F`(full) flag in the users and everyone group. The permissions are set to all
the binary files of the software in the same location. The files are installed in the `Ucell Internet` directory. The group/user permission for
the path is assigned to the everyone group. The full path with the permission misconfiguration allows local low privileged system user accounts to
exploit the vulnerability to gain higher access privileges. After the attacker replaced the binary file with the malicious code he can reboot the
system to gain higher access privileges. At the end the attacker is able to fully compromises the system by local exploitation.

T

The third discovered vulnerability is a denial of service bug that affects the local process. Local attackers are able to manipulate the
networkCfg.xml to crash the application with a runtime error that results in a unhandled exception.


Proof of Concept (PoC):
=======================
The vulnerabilities can be exploited by local attackers with restricted account privileges and without user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.



--- PoC Session Logs Local Privilege Escalation ---

C:\Users\s-dz\Desktop>accesschk.exe -dqv "C:\Program Files\Telecom Connection Manager"
C:\Program Files\Telecom Connection Manager
Medium Mandatory Level (Default) [No-Write-Up]
RW Tout le monde
FILE_ALL_ACCESS
RW NT SERVICE\TrustedInstaller
FILE_ALL_ACCESS
RW AUTORITE NT\SystÞme
FILE_ALL_ACCESS
RW BUILTIN\Administrateurs
FILE_ALL_ACCESS
R BUILTIN\Utilisateurs
FILE_LIST_DIRECTORY
FILE_READ_ATTRIBUTES
FILE_READ_EA
FILE_TRAVERSE
SYNCHRONIZE
READ_CONTROL

C:\Users\s-dz\Desktop>

C:\Users\s-dz\Desktop>icacls "C:\Program Files\Telecom Connection Manager"
C:\Program Files\Telecom Connection Manager Tout le monde:(F)
Tout le monde:(OI)(CI)(IO)(F)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
AUTORITE NT\Système:(I)(F)
AUTORITE NT\Système:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrateurs:(I)(F)
BUILTIN\Administrateurs:(I)(OI)(CI)(IO)(F)
BUILTIN\Utilisateurs:(I)(RX)
BUILTIN\Utilisateurs:(I)(OI)(CI)(IO)(GR,GE)
CREATEUR PROPRIETAIRE:(I)(OI)(CI)(IO)(F)

1 fichiers correctement traités ; échec du traitement de 0 fichiers

C:\Users\s-dz\Desktop>


--- PoC Local DoS ---

first go to C:\program files\Internet Mobile\networkCfg.xml (Network configuration)
and write "A" * 3000 in <ConfigFileName>"A" x 3000</ConfigFileName> . Save it open the program .
poc will crash ...



Credits & Authors:
==================
Hadji Samir s-dz@hotmail.fr

Source

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...